How Stateward protects you against typosquatting & slopsquatted packages
The threat
Attackers publish packages one keystroke away from a popular name, and AI assistants confidently import dependencies that don’t exist — "slopsquatting" — which attackers then register and weaponise.
How Stateward catches it
Stateward’s supply-chain engine flags names within typo-distance of a popular package and non-registry sources (git+, file:, http:) over the manifest’s added lines, the AI-specific supply-chain signal incumbents miss.
Recent advisories of this class
- mediumGHSA-HHPQ-7WG4-36JMCakePHP Authentication: Open redirect weakness via backslash bypass
- criticalGHSA-8FQ9-273G-6MRGAvo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
- mediumGHSA-X2QC-CMH9-F4HFDeno: Denial of service via non-ASCII bytes in WebSocket response headers
- criticalGHSA-2F55-G35J-5JMFHAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.