Supply Chain Defense Proactive, behavioural-first defense against the 2026 software supply chain threat: self-propagating worms (Shai-Hulud / Mini Shai-Hulud) that poison popular npm and PyPI packages, steal credentials, republish from stolen tokens, and inject persistence hooks into Claude Code and VS Code settings specifically. Helps with Deciding whether a dependency you're about to add is safe — getting a behavioural verdict on an npm or PyPI package before / , not days later when a CVE drops. , the depscore MCP, or . A teammate or CI just pulled a freshly-published package version and yo…