npm install or pip install is checked against SafeDep’s malware intelligence before any code runs. It is free, open source, and needs no account or API key.
What PMG does
- Blocks before code runs: catches malicious packages at install time, not after they are already in your environment.
- No workflow change: wraps your existing package managers. You and your AI coding agents run the same commands.
- Deep dependency analysis: resolves and checks the full transitive dependency tree, not just the package you asked for.
- No account needed: uses SafeDep’s free community API. Apache 2.0 licensed, no signup or API key.
How it works
PMG intercepts each install command, resolves the dependency tree, and checks every package against SafeDep’s malicious package intelligence before allowing the install to proceed. Known malicious packages are blocked outright. An optional dependency cooldown policy can also skip package versions published inside a recent time window, when a freshly compromised release is most likely to slip through. It supportsnpm, pnpm, yarn, bun, npx, pnpx, pip, uv, and poetry. For dependency-resolution internals and CLI flags, see the PMG repository.
Connect PMG to SafeDep Cloud and the installs it checks sync to Endpoint Hub as Package Guard events, a timeline of package activity across your team’s endpoints. Local blocking works the same with or without an account.
Get started
PMG Quickstart
Install PMG and protect your package managers in minutes.
Malicious Package
How SafeDep detects malicious packages across registries.
PMG on GitHub
Source, full documentation, and CI usage.