What happened
The first self-replicating npm worm: a compromised @ctrl/tinycolor release harvested developer credentials, republished trojanised versions of every package the victim maintained, and spread to 500+ packages — exfiltrating secrets to attacker webhooks and a malicious GitHub Actions workflow.
The honest answer
Partly, and across several engines. The malicious install-script and secret-exfil patterns are exactly what Stateward’s supply-chain and secret engines watch for; the trojanised releases match against OSV/CISA-KEV once advisories land, and the monitor surfaces exploited-in-the-wild items 0day-first. Instant coverage at the moment a brand-new release drops depends on advisory timing — no scanner is omniscient — but the malicious GitHub Actions workflow and the credential harvesting are detectable signals, not invisible ones.
Stateward checks each added or changed dependency against OSV.dev advisories across npm, PyPI, crates.io, Maven, Go, RubyGems, Composer and NuGet, and — with the knowledge base on — tells you whether the vulnerable code is actually reachable from your project, not just present in the lockfile.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.