Today, we're officially introducing Package Firewall, a new capability built on the AURI platform, that blocks malicious, vulnerable, and non-compliant open-source packages before they get pulled in by AI coding agents like Cursor, Claude Code, OpenAI Codex, or Google Antigravity.
Package Firewall sits between your developer machines, private package registries, CI pipelines, and the public registries. Every install request flows through it. Known malicious packages are blocked at the source, and clean packages install normally. It is fully integrated with the Endor Labs policy engine, so you can also block vulnerable dependencies or packages that don’t match your license policies.
How Package Firewall works
Package Firewall sits in front of public registries and every install request flows through it. Package Firewall is powered by Endor's proprietary malware feed, updated within minutes of any new package hitting public registries.
When a developer or CI job requests a package:
- If the firewall has flagged it as malware, the request is blocked and the client gets a 403. The package never touches the disk.
- If the package is clean, the request is redirected to the upstream registry and installs normally.
- Either way, the event is logged with the package name, version, time, and reason, visible in the Endor Labs UI or via the API.
There are two ways to deploy it:
- Integrated with private package registries. If you're already running a central artifact manager like JFrog Artifactory, point its remote repository at the Package Firewall URL. Nothing on the developer side changes.
- Endpoint Mode . If you don't have an artifact repository, package firewall configuration can be pushed to developer machines via MDM and to CI runners via a config snippet, developers don't have to do anything.
You can also enforce policies, like cooldown periods. One of the more uncomfortable findings from our malware report: 88% of organizations know the first few days after a release are the highest-risk window, but only 21% enforce cooldown periods. Package Firewall makes this easy to do at scale. New version published yesterday? It's blocked until the cooldown clears, regardless of who's asking for it.
Software supply chain attacks are increasing
In our 2026 Open Source Malware Research Report, we found a 14x increase in OSV malware advisories over the past two years. 92% of all npm account takeovers happened in 2025 alone, where attackers compromise legitimate, trusted packages and push malicious versions under names developers already pin to.
The pace hasn't slowed in 2026. The last few months alone include:
- lightning, a PyPI package with around 8 million monthly downloads, backdoored with a credential stealer (April 2026).
- axios, 400+ million monthly downloads, hijacked maintainer account, two malicious versions pushed within 39 minutes (March 2026).
- telnyx, the Telnyx Python SDK backdoored with credential-harvesting code (March 2026).
Most of these get pulled within a few hours of being reported. But "a few hours" is plenty of time. You need an enforcement point that operates on the same timeline.
Real-time malware detection
Endor Labs operates a real-time analysis pipeline to detect emerging malware campaigns across the major open-source ecosystems, faster than any other products in market today:
- Continuously scans every newly uploaded package across npm, PyPI, Go, and other open-source ecosystems.
- An AI-enhanced analysis pipeline reviews every package using multi-pass analysis with different LLMs, static analysis tools, and behavioral signals to classify packages within minutes of upload.
- Reports malicious open-source packages directly to the registries, including npm and PyPI, so packages are taken down as quickly as possible.
Read our technical whitepaper for more on how the analysis pipeline works.
Malware is the headline use case, but Package Firewall enforces against the full Endor Labs policy engine. That means you can also block open-source packages based on:
- Known vulnerabilities: Block open-source packages with known vulnerabilities (CVEs).
- License compliance: Block open-source packages that don’t conform to your license policies.
This is where the firewall stops being a malware tool and starts being an actual policy enforcement point for your supply chain.
Get started
The Endor Labs Package Firewall is available today. Contact us to book a demo or to arrange a PoC.
What's next?
When you're ready to take the next step in securing your software supply chain, here are 3 ways Endor Labs can help:
