A dependency firewall is a checkpoint that blocks malicious packages before they install, regardless of whether a developer, CI pipeline, or AI coding agent requested them. It works similarly to a network firewall, except the traffic here is open-source packages instead of network packets, and the point of entry is the install command.
Dependency firewalls exist because the volume of supply chain attacks makes them necessary. Aikido Intel now analyzes up to 100,000 malicious packages a day across open-source registries, up from around 20,000 a year ago. In Q2 2026 alone, it analyzed roughly 7.5 million package versions and confirmed 19,500 as malicious.
{{cta}}
Why are dependency firewalls necessary? #
The moment your package manager runs an install, your machine is exposed. Making matters worse, attackers have gotten faster, and AI has given them new ways in.
Install scripts are the payload delivery mechanism
When you run npm install
, packages can execute code as part of the install itself. The postinstall hook is where many modern supply chain attacks live because it runs with the developer's permissions before anyone has a chance to look at the code.
In March 2026, attackers hijacked the axios maintainer's npm account and pushed two malicious versions of the library (used across ~100 million weekly downloads). The payload came in through a newly added transitive dependency, plain-crypto-js
, whose postinstall hook dropped a cross-platform RAT onto every machine that ran the install.
Coding agents and MCP servers are new install surfaces
The package installation is no longer always initiated by a human. Coding agents and MCP servers pull from npm on developer machines with access to sensitive code and credentials. In September 2025, an attacker impersonating Postmark published a malicious MCP server to npm that quietly BCC'd every outgoing email to an attacker-controlled address. It was the first confirmed malicious MCP server on npm, and it's a sign of things to come.
Agents also hallucinate, and attackers have started registering the package names to take advantage of this. Agents that guess wrong now risk installing a package the attacker prepared in advance. This attack, sometimes called slopsquatting, didn't exist as a category two years ago.
Attack windows are getting shorter
The malicious `plain-crypto-js`
package that fed the axios attack existed for less than 24 hours before being pulled in. The [debug and chalk compromise](/blog/npm-debug-and-chalk-packages-compromised) hit 18 packages with more than 2 billion combined weekly downloads in a single wave. Any defense that runs after an install, whether it's a nightly scan or a public advisory, is too late.
A package you trust can turn on you
The most consequential supply chain attacks of the last year involved libraries with millions of weekly downloads. Attackers compromised maintainer accounts for axios, chalk, and debug, stole publish tokens, and pushed malicious versions of the same packages users already had in their lockfiles. Reputation and download counts don't protect you from a malicious new version. The check has to happen on every install.
What a dependency firewall checks for #
The specific checks vary between tools, but a dependency firewall worth using covers most of the following. And each check has to apply to transitive dependencies, as most modern attacks live several layers deep in the dependency tree. The malicious plain-crypto-js
package that fed the axios attack was a transitive dependency almost no one had explicitly installed.
Known malware
The baseline check. The firewall cross-references every package against a live threat feed and blocks anything that's already been flagged. This covers backdoors, credential stealers, crypto miners, and other packages known to be hostile. The critical thing here is that the intelligence feed moves faster than the attacker. A malicious package flagged three days after publication has likely already run on someone's machine.
Minimum package age
Most malicious releases get caught and pulled within a day or two of publication. A firewall that blocks or delays packages published in the last 24 to 48 hours takes the entire early-detection window off the table. The rest of the ecosystem is coming around to the same conclusion. Every major package manager in the npm ecosystem now supports a minimum release age setting that refuses to install any package version newer than a configurable threshold. pnpm, Yarn, Bun, and npm itself all ship it.
Dependency confusion, typosquats, and unclaimed names
These are three closely related patterns. Typosquats mimic popular package names (e.g., lodahs instead of lodash) and rely on a mistyped command going unnoticed. Dependency confusion targets internal package names that a company hasn't reserved on the public registry. The attacker publishes a public version with a higher number, and the resolver picks the malicious one, thinking it's a safe update. And there's a newer attack surface Aikido has been tracking, where package names are referenced in documentation and README files but never actually published. Left unclaimed, they're free for anyone to register, including attackers. Coding agents scraping the same docs will then install whatever's there. All three are catches a firewall makes before the download happens.
Install script behavior
Static rules and, in more capable firewalls, sandboxed execution inspect what a package's install scripts actually do, where they connect, what they read, what they spawn. This is where sophisticated attacks hide, and where cheap ones do their damage. The axios postinstall hook that pulled in plain-crypto-js is exactly the pattern this check is designed to catch.
Maintainer and account takeover signals
When the account behind a legitimate, widely-used library gets compromised, the malicious version ships to millions of lockfiles under a name everyone already trusts. Good firewalls flag the signals of an account takeover, such as an unexpected maintainer change, a version bump with no matching source commit, or a legitimate package suddenly adding a new dependency it has never needed before.
Obfuscation techniques
Attackers have gotten creative about what they hide and how. Recent examples include malware written in invisible Unicode characters that don't render in a code editor (os-info-checker-es6), payloads hidden in whitespace scrolled off-screen (react-html2pdf.js), and code smuggled inside image files. A firewall that only reads what a human editor would show misses all of these. The check has to look at the raw bytes.
Aikido's dependency firewall #
For teams that need developer firewall coverage for everything developers install on their machines (e.g., IDE extensions, browser extensions, MCP servers, AI coding tools), [Aikido Device Protection](/protect/device-protection) is the answer. It deploys through your existing MDM, runs on the same Intel underneath, and gives security teams centralized visibility across every workstation.
For individual developers, or teams that want to try the install-time check without deploying anything centrally, [Safe Chain](https://github.com/AikidoSec/safe-chain) is a free, open-source dependency firewall for npm, yarn, pnpm, pip, uv, poetry, and other package managers. Install it once, restart your shell, and every install runs through the firewall.
The intelligence behind both is Aikido Intel, which analyzes new package versions across 20+ ecosystems the moment they publish, flagging most in an average of six minutes and many within one or two. It runs in four layers (static rules, sandboxed execution, AI reasoning across files, human review for the hardest cases), and the feed itself is public and free under AGPL.
Together, Safe Chain, Intel, and Device Protection cover the full supply-chain install path, from a developer's npm install to an AI agent pulling in an MCP server on a workstation no one's watching.
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@graph": [
{
"@type": "BlogPosting",
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#article",
"isPartOf": {
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#webpage"
},
"mainEntityOfPage": {
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#webpage"
},
"headline": "What is a dependency firewall?",
"description": "A dependency firewall is a checkpoint that blocks malicious open-source packages before they install, whether a developer, a CI pipeline, or an AI coding agent requested them. Learn how they work, what they check for, and how Aikido Safe Chain and Device Protection cover the full supply-chain install path.",
"url": "https://www.aikido.dev/blog/what-is-a-dependency-firewall",
"datePublished": "2026-07-13T00:00:00+00:00",
"dateModified": "2026-07-13T00:00:00+00:00",
"inLanguage": "en-US",
"wordCount": 1450,
"timeRequired": "PT7M",
"articleSection": "Supply Chain Security",
"keywords": [
"dependency firewall",
"software supply chain security",
"malicious npm packages",
"install-time protection",
"Aikido Safe Chain",
"Aikido Intel",
"Aikido Device Protection",
"slopsquatting",
"typosquatting",
"dependency confusion",
"postinstall hook attack",
"npm supply chain attack",
"MCP server security",
"AI coding agent security",
"minimum package age",
"package manager cooldown"
],
"author": {
"@id": "https://www.aikido.dev/authors/nicholas-thomson#person"
},
"publisher": {
"@id": "https://www.aikido.dev#organization"
},
"image": {
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#primaryimage"
},
"about": [
{
"@type": "Thing",
"name": "Dependency firewall",
"description": "A security checkpoint that inspects and blocks malicious open-source packages before they install on a developer machine, CI pipeline, or AI coding agent."
},
{
"@type": "Thing",
"name": "Software supply chain security"
},
{
"@type": "Thing",
"name": "Install-time malware detection"
}
],
"mentions": [
{
"@type": "SoftwareApplication",
"name": "Aikido Safe Chain",
"applicationCategory": "SecurityApplication",
"operatingSystem": "Cross-platform",
"url": "https://github.com/AikidoSec/safe-chain",
"offers": {
"@type": "Offer",
"price": "0",
"priceCurrency": "USD"
}
},
{
"@type": "SoftwareApplication",
"name": "Aikido Device Protection",
"applicationCategory": "SecurityApplication",
"url": "https://www.aikido.dev/product/device-protection"
},
{
"@type": "Dataset",
"name": "Aikido Intel",
"description": "Open threat intelligence feed for malicious open-source packages, covering 20+ ecosystems in real time.",
"url": "https://intel.aikido.dev",
"license": "https://www.gnu.org/licenses/agpl-3.0.en.html"
},
{
"@type": "SoftwareApplication",
"name": "npm",
"applicationCategory": "DeveloperApplication"
},
{
"@type": "SoftwareApplication",
"name": "pnpm",
"applicationCategory": "DeveloperApplication"
},
{
"@type": "SoftwareApplication",
"name": "Yarn",
"applicationCategory": "DeveloperApplication"
},
{
"@type": "SoftwareApplication",
"name": "Bun",
"applicationCategory": "DeveloperApplication"
},
{
"@type": "Thing",
"name": "axios npm supply chain attack (March 2026)"
},
{
"@type": "Thing",
"name": "debug and chalk npm compromise (September 2025)"
},
{
"@type": "Thing",
"name": "postmark-mcp malicious MCP server (September 2025)"
},
{
"@type": "Thing",
"name": "Slopsquatting"
},
{
"@type": "Thing",
"name": "Typosquatting"
},
{
"@type": "Thing",
"name": "Dependency confusion"
}
],
"speakable": {
"@type": "SpeakableSpecification",
"cssSelector": ["h1", "h2", ".faq-question", ".faq-answer"]
}
},
{
"@type": "WebPage",
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#webpage",
"url": "https://www.aikido.dev/blog/what-is-a-dependency-firewall",
"name": "What is a dependency firewall? | Aikido Security",
"isPartOf": {
"@id": "https://www.aikido.dev#website"
},
"primaryImageOfPage": {
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#primaryimage"
},
"datePublished": "2026-07-13T00:00:00+00:00",
"dateModified": "2026-07-13T00:00:00+00:00",
"breadcrumb": {
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#breadcrumb"
},
"inLanguage": "en-US",
"potentialAction": [
{
"@type": "ReadAction",
"target": ["https://www.aikido.dev/blog/what-is-a-dependency-firewall"]
}
]
},
{
"@type": "BreadcrumbList",
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#breadcrumb",
"itemListElement": [
{
"@type": "ListItem",
"position": 1,
"name": "Home",
"item": "https://www.aikido.dev"
},
{
"@type": "ListItem",
"position": 2,
"name": "Blog",
"item": "https://www.aikido.dev/blog"
},
{
"@type": "ListItem",
"position": 3,
"name": "What is a dependency firewall?",
"item": "https://www.aikido.dev/blog/what-is-a-dependency-firewall"
}
]
},
{
"@type": "Organization",
"@id": "https://www.aikido.dev#organization",
"name": "Aikido Security",
"url": "https://www.aikido.dev",
"logo": {
"@type": "ImageObject",
"url": "https://www.aikido.dev/logo.png",
"width": 512,
"height": 512
},
"sameAs": [
"https://www.linkedin.com/company/aikido-security/",
"https://x.com/AikidoSecurity",
"https://www.youtube.com/@aikidosecurity",
"https://github.com/AikidoSec"
]
},
{
"@type": "WebSite",
"@id": "https://www.aikido.dev#website",
"url": "https://www.aikido.dev",
"name": "Aikido Security",
"publisher": {
"@id": "https://www.aikido.dev#organization"
},
"inLanguage": "en-US"
},
{
"@type": "Person",
"@id": "https://www.aikido.dev/authors/nicholas-thomson#person",
"name": "Nicholas Thomson",
"jobTitle": "Senior SEO & Growth Lead",
"worksFor": {
"@id": "https://www.aikido.dev#organization"
},
"url": "https://www.aikido.dev/authors/nicholas-thomson",
"sameAs": [
"https://www.linkedin.com/",
"https://x.com/"
]
},
{
"@type": "ImageObject",
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#primaryimage",
"url": "https://www.aikido.dev/blog/what-is-a-dependency-firewall/og-image.png",
"contentUrl": "https://www.aikido.dev/blog/what-is-a-dependency-firewall/og-image.png",
"caption": "What is a dependency firewall?"
},
{
"@type": "DefinedTerm",
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#definedterm",
"name": "Dependency firewall",
"description": "A dependency firewall is a checkpoint that blocks malicious open-source packages before they install, whether a developer, a CI pipeline, or an AI coding agent requested them. It works similarly to a network firewall, except the traffic is open-source packages instead of network packets and the point of entry is the install command.",
"inDefinedTermSet": {
"@type": "DefinedTermSet",
"name": "Aikido Security Glossary",
"url": "https://www.aikido.dev/glossary"
}
},
{
"@type": "FAQPage",
"@id": "https://www.aikido.dev/blog/what-is-a-dependency-firewall#faq",
"mainEntity": [
{
"@type": "Question",
"name": "How do I stop malicious npm packages from getting installed?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Install a dependency firewall that runs at the install command. Safe Chain is free and open source, wraps npm, yarn, pnpm, pip, and other package managers, and checks every install against Aikido Intel before the download completes. If the package is flagged, the install fails and nothing lands on your disk. Setup is one command plus a shell restart."
}
},
{
"@type": "Question",
"name": "How do I protect against typosquatting and dependency confusion?",
"acceptedAnswer": {
"@type": "Answer",
"text": "For dependency confusion specifically, use scoped package names for anything internal (e.g., @yourcompany/<package>) so there's no ambiguous name for an attacker to hijack. For typosquats, use an install-time dependency firewall that checks each package against a real-time threat feed. Safe Chain blocks both across every package manager it wraps."
}
},
{
"@type": "Question",
"name": "How do I stop AI coding agents from installing malicious packages?",
"acceptedAnswer": {
"@type": "Answer",
"text": "When an agent tries to npm install a hallucinated package name that an attacker has pre-registered (an attack called slop squatting), a dependency firewall will stop it from being downloaded at install time. But agents also install through IDE extensions, browser extensions, and MCP servers that bypass the terminal entirely. For that, Aikido Device Protection covers everything a developer machine can install, including extensions and MCP servers."
}
},
{
"@type": "Question",
"name": "What does Safe Chain cost?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Nothing. Safe Chain is free and open source under an MIT license, and it doesn't require an Aikido account to use. The threat feed it checks against, Aikido Intel, is also free and public."
}
},
{
"@type": "Question",
"name": "How do I roll out a dependency firewall across a whole team?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Aikido Device Protection provides a dependency firewall at the org level, deploying through whatever MDM you already run (Jamf, Kandji, Fleet, others) so every workstation is covered from day one. It runs on the same threat intelligence as Safe Chain and gives security teams centralized visibility across every machine."
}
}
]
}
]
}
</script>