About Veln

We started with a simple observation: every major supply chain attack in the last five years succeeded because npm install and pip install trust the registry completely. No verification happens at the install moment — only after, when it's too late.

The Veln Agent intercepts npm, yarn, pnpm, bun, pip, pip3, uv, pipx, go, cargo, bundle, dotnet, mvn, and gradle traffic and runs a three-layer verification pipeline before any bytes reach the filesystem. The verdict is computed locally — your source code, project files, and dependency list never reach the Veln backend. On a warm cache the gate adds tens of milliseconds per package, typically under 50 ms. The agent does pull vulnerability data from OSV and attestation data from the npm registry — the same (name, version) lookup your package manager was about to do. Your license is a one-time, per-device purchase verified offline, so the agent never phones home to check it.

We don't think security should be a checkbox. Most tools check CVE databases after you've already installed a compromised package. We intercept the install. Not the log. The install.