A package manager for the trustless world.

Mini Shai-Hulud showed how trusted npm packages can become install-time credential stealers before a developer notices. SCPM makes every exact package and subdependency version wait for meticulous AI analysis on our servers before install continues.

curl -fsSL https://scpm.dev/install.sh | sh

Pricing

Stop playing russian roulette everytime you run "npm install".

One compromised tarball, install script, or transitive version can be the loaded chamber. SCPM waits for meticulous AI analysis on our servers before that code gets a chance to execute on your machine.

Normal installs are now an attack path.

Mini Shai-Hulud, ua-parser-js, and xz point at the same failure: a familiar package name can arrive with unreviewed artifact code. As attackers use AI to move faster, SCPM makes every exact resolved version wait for current line-by-line review before the CLI continues.

Mini Shai-Hulud technical breakdown Snyk video

Microsoft Security Blog / May 20, 2026

@antv packages ran credential theft during install

Malicious versions targeted GitHub Actions credentials and spread through downstream dependencies.

CISA / October 22, 2021

ua-parser-js shipped embedded malware

CISA warned users of compromised ua-parser-js versions to move immediately to patched releases.

Red Hat Blog / March 29, 2024

xz Utils proved deep dependencies are targets

Versions 5.6.0 and 5.6.1 shipped release-package code tied to sshd authentication paths.

Microsoft Security Blog / March 6, 2026

AI is speeding attacker tradecraft

Microsoft reports threat actors using AI for code, malware debugging, scripts, infrastructure, and targeting.

Pricing.

Monthly package installs count direct dependencies and subdependencies resolved through SCPM, as each one goes through meticulous AI analysis on our servers.

Free

$0

monthly

For non-commercial projects, experiments, and local evaluation.

50,000 packages installed monthly

Meticulous AI package analysis
Direct and transitive dependency analysis
Evidence for every package and subdependency

Request access

Pro

$50

monthly

For commercial developers who want reviewed installs on active projects.

Commercial use tier

SCPM install flow for commercial work
Reuse completed analysis across installs
Upgrade path for team volume

Request access

Startup

$350

monthly

For small teams standardizing secure installs across repos and CI.

15 seats, 400,000 packages installed monthly

Shared team usage
CI and local install coverage
Team-wide analysis reuse

Request startup access

Enterprise

Custom

annual contract

For organizations with procurement, security review, and large install volume.

Custom seats and package volume

Custom package install limits
Security and compliance review
Deployment and support planning

Contact us

Npm ergonomics with server-reviewed install trees.

$ scpm install

resolving package tree

requesting AI analysis

waiting: vite@7.2.4 line review running