About

What GreenFlagged is and why this blog exists.

GreenFlagged is a pull-through npm registry cache that only serves packages which have passed automated security analysis and, when needed, human review. Packages are put through a scanning pipeline: static analysis, OSV, a battery of custom analyzers, a multi-tiered AI reviewer, and a human sign-off — before they’re available in the registry with a regular npm install.

This blog is where we write about that work: the supply-chain attacks we catch (often times shortly after being published), how things actually work under the hood, and the strange, instructive things that turn up when you look closely at what’s being published to the registry every day.

It’s written by one person, so posts are occasional and practical rather than a content schedule. If you’re interested, subscribe to the RSS feed to follow along.