How Stateward protects you against typosquatting & slopsquatted packages
The threat
Attackers publish packages one keystroke away from a popular name, and AI assistants confidently import dependencies that don’t exist — "slopsquatting" — which attackers then register and weaponise.
How Stateward catches it
Stateward’s supply-chain engine flags names within typo-distance of a popular package and non-registry sources (git+, file:, http:) over the manifest’s added lines, the AI-specific supply-chain signal incumbents miss.
Recent advisories of this class
- mediumGHSA-Q59X-JC9F-GFQFSignal K Server: Server-Side Request Forgery via Remote Connection Endpoints
- mediumGHSA-5739-39V2-5754PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
- highGHSA-JC38-X7X8-2XC8PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
- highGHSA-3PRJ-6HQW-CM82PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.