ID/ SLC-0X1STATUS | LIVEPKG-CHECKS/ 5LATENCY/ ~2SSOURCE/ NPM · PYPI · GO · CARGO · GEMS

SCAN YOUR DEPS.
TRUST NOTHING.

Paste any dependency manifest - package.json, requirements.txt, go.mod, Cargo.toml - and Hook Check audits every package in seconds. Flags typosquats, newly registered packages, suspiciously low downloads, malicious install scripts, and known CVEs.

SCAN NOW →VIEW ON GITHUB [^]
FILErequirements.txt
PACKAGES14 scanned
TIME1.8s
CRITICALcrypto-utilsNOT ON PYPI
CRITICALflask-helpersNOT ON PYPI
⚠️HIGHdata-frame-utils12 DAYS OLD
⚠️HIGHpip-utils43 DOWNLOADS
CLEANnumpy
CLEANflask
CLEANsqlalchemy+ 8 more...
VULN SCAN██████░░░░3 CVEs found (1 CRITICAL)

THREAT INTEL

· fetching...LIVE

SCAN YOUR MANIFEST

PASTE. SCAN.
FIND OUT.

[01] PROBLEM

THE SLOPSQUATTING
THREAT

Slopsquatting is a documented, active threat. AI models suggest package names that don't exist - threat actors register those names on public registries within hours, load them with malicious install scripts, and wait. Hook Check cross-checks every dependency in your manifest against live registry data, download history, and the OSV vulnerability database before a single byte executes.

--
--
--

[02] WHAT WE CHECK

FIVE FLAGS.
ZERO ACCOUNTS.

NONEXISTENTPackage returns 404 on registrye.g. crypto-utils
⚠️NEWLY REGISTEREDCreated less than 30 days agoe.g. ml-utils-py
⚠️LOW DOWNLOADSBelow ecosystem download floornpm <500/mo |PyPI <200/mo
⚠️POST-INSTALL SCRIPTScript calls curl, wget, or evale.g. postinstall: curl | sh
LEGITExists, old enough, trusted volumee.g. numpy, flask, express

[03] HOW IT WORKS

THREE STEPS.
TWO SECONDS.

01 /

PASTE

Drop your package.json or

requirements.txt into the box.

02 /

SCAN

We hit npm + PyPI directly

from your browser.

No server. No logs.

03 /

REVIEW

Results ranked by severity.

Export or fix.

[04] FAQ

COMMON
QUESTIONS.