Skip to content

feat: add slopsquatscan crate — Rust package supply chain scanner#73

Open
remigius-labs wants to merge 6 commits intosheeki03:mainfrom
remigius-labs:feat/add-slopsquatscan-tool
Open

feat: add slopsquatscan crate — Rust package supply chain scanner#73
remigius-labs wants to merge 6 commits intosheeki03:mainfrom
remigius-labs:feat/add-slopsquatscan-tool

Conversation

@remigius-labs
Copy link
Copy Markdown

@remigius-labs remigius-labs commented Apr 4, 2026
edited
Loading

Summary

Adds slopsquatscan as a standalone Rust crate in the workspace — a CLI tool that scans installed packages for slopsquatting (AI-hallucinated package names registered by attackers).

What it checks:

  • npm (global), pip, and AUR packages
  • Flags packages NOT FOUND on their registry (suspicious)
  • Flags packages with very low downloads (<100/week) or newly published (<30 days)

Usage:

slopsquatscan              # scan all (npm + pip + AUR)
slopsquatscan --npm        # npm only
slopsquatscan --verbose    # show clean packages too
slopsquatscan --json       # machine-readable output

Changes

  • New crate: crates/slopsquatscan/ (3 source files, ~660 lines)
  • Added to workspace members in root Cargo.toml
  • No changes to existing tirith code

Structure

crates/slopsquatscan/
├── Cargo.toml
└── src/
    ├── main.rs        # CLI entry, orchestration, summary
    ├── registry.rs    # npm/pypi/aur registry checks via reqwest
    └── output.rs      # colored terminal output

Test plan

  • cargo build -p slopsquatscan — compiles clean
  • cargo clippy -p slopsquatscan -- -D warnings — zero warnings
  • cargo build — full workspace builds without breakage
  • Smoke tested --aur --verbose on Arch Linux
  • Release build: 4.1 MB binary

🤖 Generated with Claude Code

remigius-labs and others added 6 commits April 4, 2026 14:43
@remigius-labs @claude
feat: scaffold slopsquatscan crate with CLI args
211271f 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@remigius-labs
feat: add colored output helpers for slopsquatscan
21b6f1a
@remigius-labs @claude
feat: add npm/pypi/aur registry scanning logic
58d28a7 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@remigius-labs
feat: wire up slopsquatscan CLI with full scanning and output
a178d9f
@remigius-labs @claude
fix: clippy and formatting for slopsquatscan
98a200c 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@remigius-labs @claude
refactor: break up long functions and handle JSON parse failures
cbc0773 
Extract per-package check logic into check_npm_package, check_pip_package,
and check_aur_package helpers (each under 60 lines). Add run_scan and
print_summary helpers in main.rs to reduce repetition. Replace silent
continue on JSON parse failure with a Warning result so no packages vanish.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@remigius-labs remigius-labs force-pushed the feat/add-slopsquatscan-tool branch from 52861f1 to cbc0773 Compare April 4, 2026 12:44
@remigius-labs remigius-labs changed the title feat: add ecosystem section with slopsquatscan feat: add slopsquatscan crate — Rust package supply chain scanner Apr 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@remigius-labs