Install-time package hardening for every package manager
12 protection layers. 6 ecosystems. Zero dependencies. One tool.
pip install is a trust exerciseA single install command can pull in hundreds of transitive dependencies. Any one of them can execute arbitrary code and steal everything on your machine.
safe-install wraps your package manager with layered install-time hardening. No config files, no setup, no dependencies.
Resolve the full dependency tree. Check every package against typosquat detection, threat intelligence feeds, and source code analysis for exfiltration patterns.
Move credentials to a temporary vault. Spin up a Docker sandbox with zero host access. Install packages in complete isolation — no filesystem, no network, no credentials.
Take filesystem snapshots before and after. Watch for unexpected network connections, DNS queries, and file changes. Generate a full audit report.
Each layer works independently. If one fails, others still protect you. Use Layer 1 (Docker). Everything else is a fallback.
Complete OS-level isolation. Package code runs in a locked-down container with zero access to host filesystem, credentials, or network.
StrongRefuses source distributions entirely. Wheels and prebuilt packages skip code execution during install.
Strong (install)SHA256 verification of every package. Detects any tampering, supply chain swaps, or dependency confusion attacks.
Strong (tamper)Moves SSH keys, cloud creds, API tokens, and browser data to a temporary vault. Clears env vars during install.
ModerateLevenshtein distance, keyboard proximity, and phonetic matching against top packages. Catches "reqeusts", "lodsah", "colourama".
ModerateCross-references packages against known-malicious registries, OSV advisories, and community blocklists.
HeuristicInspects setup.py, postinstall.js, build.rs for exfiltration patterns: file reads, network calls, env access, obfuscation.
HeuristicDetects suspicious compiled artifacts, embedded scripts, and obfuscated payloads in distributed packages.
ExperimentalTakes before/after snapshots to detect unexpected file modifications, new files, or changes to sensitive paths.
HeuristicMonitors vault integrity during install. Detects any attempts to access, copy, or exfiltrate protected credentials.
ModerateMonitors DNS queries during install. Flags unexpected domains, data exfiltration via DNS tunneling, and C2 beacons.
HeuristicDetects unexpected outbound connections, data exfiltration attempts, and communication with known malicious IPs.
HeuristicFive distribution channels that work together. Use the CLI directly, integrate into your editor, or automate in CI/CD.
Drop-in replacement for pip/npm/cargo install. Zero config, zero dependencies.
Real-time scanning in your editor. Inline warnings when you add risky dependencies.
Audit every dependency change in PRs. Block merges that introduce threats.
System-wide protection. Intercepts package installs across all terminals automatically.
Integrated into Docker Desktop. Scan images and audit packages in containers.
Zero dependencies. Single file. Works on Linux, macOS, and Windows.
# Install from PyPI
pip install safe-install
# Verify it works
safe-install --version
# Check what's exposed on your machine right now
safe-install check-env
# Download the single file (zero deps)
curl -O https://raw.githubusercontent.com/Khaeldur/safe-install/main/src/safe_install/cli.py
# Run directly
python cli.py --version
# Or move to your PATH
chmod +x cli.py && mv cli.py /usr/local/bin/safe-install
# Clone and install in development mode
git clone https://github.com/Khaeldur/safe-install.git
cd safe-install
pip install -e .
# Or just run the CLI directly
python src/safe_install/cli.py --version
Takes less than 30 seconds. Uses only Python stdlib.
Real output from real commands. No staged demos.