v0.1.0 · early access · be the first to sign

Stop supply chain
attacks at install time.

A new credential system for npm. Publishers sign every release with a DID. Consumers verify every install against a policy they write. We're live — you're early.

Install in 2 minutes →Browse registry

3 packages attested1 issuer9 credentials

~/acme-app — ajna-sc verify

live

~/my-app$ ajna-sc verify▲ honest output — most of npm is still unattested

Threat model

Attacks that npmvc kills before they run.

npm dependencies execute arbitrary code on your machine, in CI, in production. If the publisher can be impersonated, or the tarball replaced, you lose.

Typosquats

unattested=block

chaik → chalk. Unattested look-alikes fail policy before install.

Maintainer takeover

publisherContinuity

Old DID disappears, new DID arrives. No handover credential = block.

Protestware / sabotage

requireAuditWithin

New version from a trusted issuer still requires fresh audit within 90d.

Lifecycle scripts

lifecycleScripts

postinstall hooks whitelisted only. Everything else refuses to run.

Zero-day exploitation

minAge=7d

minAge enforces a 7-day quarantine. Fresh CVEs are not your problem.

Stolen signing keys

did:webvh

did:webvh pre-rotation means a stolen key cannot update the DID log.

How it works

Three moving parts. No native deps. Works with npm, pnpm, yarn.

01→

Publishers sign

$ ajna-sc init && ajna-sc attest

Ed25519 key pair. Provenance + SBOM + Lifecycle wrapped in DSSE envelopes. Uploaded to npmvc.com or self-hosted.

02→

Registry resolves

$ did:webvh + did.jsonl

Hash-chained DID log with pre-rotation. Public-key lookup, revocation status, trust root — all from one URL.

03→

Consumers verify

$ ajna-sc install-hook

Preinstall hook walks the lockfile, checks every signature against your policy. Block, warn, or allow — your call.

Registry · day zero

The supply chain, from an empty canvas.

Three packages. One issuer. Every credential public and verifiable. This page will fill in as the ecosystem signs.

packages

issuers

credentials

revocations

activity · global

2d agoajna-incpublished@ajna-inc/supplychain@0.1.0

2d agoajna-incsignedProvenanceCredential + SBOM + Lifecycle

2d agoajna-incpublished@ajna-inc/github-action@0.1.0

2d agoajna-incpublished@ajna-inc/verdaccio-plugin@0.1.0

19d agoajna-incbootstrappeddid:webvh:npmvc.com:ajna-inc (genesis)

19d agonpmvc.comlaunchedregistry v0.1.0

step 1 · Add to your project

$ npm i -D @ajna-inc/supplychain

step 2 · Create a policy

$ npx ajna-sc policy init && ajna-sc install-hook

step 3 · Verify on every install

$ npm ci # preinstall hook runs verify

Stop supply chainattacks at install time.