Show HN: Computer Police – block malicious NPM/pip installs locally
computer.police.devA couple of months ago, our team got hit by the first version of Shai-Hulud through a random `npm install`. We didn't catch it until it was too late.
I built Computer Police for our team to never be in this situation again.
It's designed to block that earlier. It runs a local registry proxy between your package manager and npm/PyPI, and stops confirmed-malicious packages before they touch disk.
It's deliberately narrow: malware only, no CVE scanning, no heuristics, no telemetry, no root, and removable with one command. Works locally, in CI, and in agent sandboxes.
https://computer.police.dev/ Interesting. How long does it usually take for an attack to be identified and catalogued at OSV? Should this be used together with minimum release date? I don't have the exact number for you, but what I observed was that it took a couple of hours for npm to remove some of the packages this week, even though an advisory was published + To be clear, this tool does not solve the problem if you are one of the first people to get infected; it minimizes your chance if you are the N-th person