You install normally
Run npm install or pip install exactly as you do today. Veln routes your package manager traffic through a local proxy that runs silently in the background. Nothing changes about your workflow.
Every package, verified.
Veln protects your npm and Python installs from malicious packages.
It verifies every install against the community, checks for obfuscated code, and blocks threats before the package is written to disk.
The install command you run every day is a trust decision you're not making.
When event-stream was compromised in 2018, the attacker didn't hack npm. They asked the maintainer for access. Within days, a malicious version with a Bitcoin-stealing payload was installed by thousands of developers. The package looked legitimate. The maintainer's account was legitimate. The install command was identical.
PyPI is among the most-targeted package registries for supply chain attacks. Each year hundreds of malicious packages are identified on PyPI — most mimicking popular libraries like requests, boto3, and numpy. Many remain live for days before detection.
Most major npm and PyPI attacks in recent years have exploited the same gap: the hours between when a malicious package is published and when any threat feed knows about it. During that window, your npm install and pip install commands trust the registry completely. Nothing checks what you're actually downloading.
Veln closes the window. Not by checking threat feeds faster — by not trusting any package that hasn't earned it.
One malicious publish: threat feeds are still blind while installs happen.
- Malicious version published
- First installs (CI auto-updaters)
- Package yanked by maintainer
- Threat feed alert published
Veln doesn't wait for that feed. On the first install attempt, the cooling gate can hold the version — before a feed would ever flag it.
How it works
Veln verifies
Within milliseconds, Veln checks the package hash against community observations, the publisher’s account history, how recently the version was published, and whether the code contains obfuscated payloads. It runs invisibly. You see nothing unless something is wrong.
Threats are stopped
When Veln finds something — a hash that differs from community observations, code obfuscated from the previous version, a package published minutes ago — it stops the install. Specific file. Specific line. Specific reason. Never “suspicious activity detected.”
npm and Python. Two of the most attacked ecosystems.
The majority of reported supply chain attacks target npm and PyPI. Veln protects both with zero configuration changes to your workflow.
npm & Node.js
- Interception
NPM_CONFIG_REGISTRY- Package managers
- npm · yarn · pnpm
- Lockfiles
package-lock.json·yarn.lock·pnpm-lock.yaml- Install hooks
- postinstall, preinstall, gyp builds
Frozen install: npm ci
Python & pip
- Interception
PIP_INDEX_URL+UV_INDEX_URL- Package managers
- pip · uv · poetry
- Lockfiles
requirements.txt·uv.lock·poetry.lock- Install hooks
setup.pycmdclass,pyproject.tomlhooks
Frozen install: pip install -r requirements.txt
What you download, compared against what everyone else got.
Every time a Veln user installs a package, they contribute an observation: this package name, this version, this hash. The platform aggregates observations across all users.
If thousands of other developers received one hash for lodash@4.17.21 and you receive a different one, you are being served a different binary. Veln detects this in real time and blocks the install — before any threat feed knows about it.
Consensus is one of the few defenses against supply chain attacks that serve different binaries to different IP ranges. Static analysis cannot catch it. Threat feeds cannot catch it in time. Cross-checking what you received against what everyone else received can.
Simple pricing.
Individual
$4.99 / license / month
Full protection for one developer machine. npm and Python.
Get started →Business
$3.99 / license / month
For teams with 50 or more licenses
Everything in Individual. Volume pricing. Centralized billing.
Talk to us →Protect your next npm install.
Create an org, install the CLI, and run veln activate—every npm and pip install on your machine is verified.
$4.99 / license / month · Cancel anytime