Say hello to PrivJs Safe

As developers of the modern-day world, we often rely upon open-source libraries and frameworks to build various products. As others create these libraries - their source code is often overlooked and your projects might be at risk of supply-chain attacks. In a worst-case scenario, some open-source libraries could execute malware onto your devices and steal sensitive information. This is every developer's worst nightmare and PrivJs Safe intends to solve this problem.

What is PrivJs Safe

PrivJs safe is an online service that blocks the installation of vulnerable open-source packages in your project. The security check is performed during install time and hence vulnerable packages are prevented from being installed into your machines.

PrivJs Safe acts as a firewall for protection against vulnerable npm packages. It is built mainly for organizations to log & secure all open-source package installations across all devices in the company and shield them from supply-chain attacks.

What is a supply chain attack?

A supply chain attack can be explained in multiple ways, but for the context of developers - it is a type of cyber-attack that compromises the security of an organization through third-party dependencies. For example, if a dependency in your project is vulnerable to Remote Code Execution attacks - then it could act as an exploit for hackers to gain access to your servers.

Supply chain attacks are not just limited to vulnerabilities. Some packages create and execute malware on the devices to sniff out confidential information. Some dependencies are compromised through account takeover leading to the creation of a backdoor. Usually, these risks are identified but developers usually find out about these vulnerabilities after the dependencies are installed - which in our opinion is too late.

It only takes a few seconds for a malware to steal confidential data from your device.

How does PrivJs Safe Work?

PrivJs maintains a database of vulnerable packages & the versions and actively blocks the installation of those vulnerable package versions. So, when a developer runs the command $ npm install <some-package> - this package is first scanned for vulnerabilities by us, and only if it passes the security check, the installation proceeds. Otherwise, the installation is blocked.

What are the benefits of using PrivJs Safe?

PrivJs actively blocks the installation of vulnerable npm packages - enabling your organization to develop software without having to worry about underlying security vulnerabilities. Apart from blocking the vulnerabilities, PrivJs Safe also allows you to selectively **allow** the installation of packages that you trust or use as developer dependencies.

With a subscription to PrivJs Safe, your team also gets a complimentary license to the PrivJs Safe ESLint Plugin - which helps you to identify and secure vulnerable imports in your project.

Active updates

We launched PrivJs Safe recently and are very excited to secure the javascript ecosystem. Our team is actively working on making the platform better as well as build innovative tooling to make security accessible to all developers.

Conclusion