Cloud AI

Our mission is to audit every single open-source package with a frontier model. Every release on npm and PyPI, read end-to-end by the most capable AI we can afford, so you don't have to trust a package you haven't personally reviewed.

The free CLI catches obvious red flags. Cloud AI catches everything else by running those audits on packages before you install them. $9/mo.

How it works

When you install a package with Cloud AI enabled, Bouncer checks the results from its scanning pipeline. Popular packages are scanned instantly using a frontier model. Less popular packages are scanned using faster, cheaper models and escalated to a stronger model for a second opinion if anything looks suspicious.

If a package hasn't been scanned yet, the CLI waits briefly for the pipeline to finish, then falls back to local heuristic checks if the audit is still pending.

Threat levels

Every package check returns one of three threat levels:

Important: An "allow" result does not mean a package is safe, trustworthy, or free of bugs. It means Bouncer did not find obvious signs that the package is malicious. You should still exercise judgment, especially with unfamiliar packages or packages with very few downloads.

Smart prioritization

Every package runs through the same heuristic checks used by the free CLI: typosquat detection, known-malware matching, and install script analysis. These checks are fast and free, so they run on 100% of packages.

AI audits are prioritized by popularity. Package downloads follow an extreme power law: the top packages account for the vast majority of real-world installs. Bouncer works down from the most popular packages first, auditing each one and its full dependency tree before moving on. This means the packages that matter most get full AI coverage first.

When a new version of a popular package is published, it is queued for AI audit immediately. The AI reads actual source code: install scripts, entry points, and package source. It looks for obfuscated exfiltration, hidden backdoors, encoded payloads, and novel attack patterns that no signature database has seen.

Coverage expands continuously. As we audit more packages, the threshold moves down to include less popular packages. Our goal is full AI coverage of every package on npm and PyPI.

Chain of trust

When a new version of a package is published, Bouncer doesn't always need to re-audit the entire source from scratch. If the previous version was already audited clean by a trusted model, Bouncer can audit just the diff, the lines that actually changed between versions. This is faster, cheaper, and lets the pipeline keep up with the volume of updates across npm and PyPI.

But diff audits only work if there's an unbroken chain of trust back to a full source audit. Every version in the chain must have an "allow" verdict, and the chain must be anchored by at least one full audit (not a diff). If any link is missing, broken, or flagged, Bouncer falls back to a full source audit of the current version.

This means Bouncer gets the cost savings of diff audits on routine updates while guaranteeing that every package has been fully reviewed at least once.

Deep dependency scanning

The free CLI only scans the packages you name directly. Cloud AI walks the full dependency tree: when you install a package, Bouncer follows the chain of runtime dependencies up to 10 levels deep, enriching and scanning each one. If any dependency in the tree has been flagged as dangerous or suspicious, Bouncer surfaces it with the full chain path so you can see exactly how it got into your project.

Dependency types

Package managers declare four types of dependencies. Bouncer treats each differently based on the risk it poses to you:

Why non-runtime verdicts are downgraded

Dev, peer, and optional dependencies don't run in your production environment, so a compromise in one of them has a smaller blast radius than a compromised runtime dependency. But they still run on developer machines during builds and tests, which means confirmed malware in a dev dependency can still steal credentials, inject backdoors into build artifacts, or compromise CI pipelines.

Bouncer's escalation rules reflect this tradeoff: confirmed threats (block) in non-runtime dependencies are downgraded to warnings so you're aware of the risk without being blocked from installing. Merely suspicious signals (warn) in non-runtime dependencies are silenced entirely to reduce noise. These are often false positives from heuristic scans, and flagging every suspicious dev dependency would train developers to ignore warnings.

How the tree walk works

Bouncer performs a breadth-first walk of the dependency tree starting from the package you install. At each level, it enriches any runtime dependency it hasn't seen before (downloading the tarball, parsing its manifest, and running heuristic checks). It follows only runtime dependencies deeper into the tree since dev, peer, and optional dependencies of your dependencies don't end up in your production runtime.

Circular dependencies are handled automatically. Bouncer tracks which packages it has already visited and skips duplicates, so cycles don't cause infinite loops or duplicate warnings.

When a risky dependency is found deep in the tree, Bouncer reports the full chain (e.g., lodash > minimist > evil-pkg) so you can trace exactly how it enters your project.

Real-time scanning

Bouncer's firehose monitors new packages published to npm and PyPI. Popular packages are scanned within seconds of being published. By the time you run pip install, the results are already cached and ready.

You can watch the firehose live at /firehose.

Enable Cloud AI