Vibe coding...meet safe packages.

Image of Zaid Al Hamami
Zaid Al Hamami

In the previous post, we made the case that developers are big targets of attack these days. Hardly a week goes by without some malware slipping into the open source package ecosystem. Developers are affected when they directly (or transitively) download the package. 

This problem is made bigger because more code is being produced due to agentic coding technologies, such as Claude, Cursor, CoPilot, etc…

We now have to worry about agents pulling in dangerous packages. These packages can be dangerous due to a number of reasons:

  • Malware inserted into a legitimate package
  • Typosquat package
  • Package with a serious, highly exploitable vulnerability
  • Other factors, such as unmaintained package/End of Life

We need a way for both developers as well as coding agents to select safe packages when they are building applications.  

This is why we are releasing the boostsecurity safe package MCP server. By simply adding this MCP server to your coding agent of choice - you are helping the agent check on the packages BEFORE actually installing them, eliminating these types of supply chain risks.

There is no need to create an account. Just follow the instructions, and within a few minutes you’ll have more peace of mind…

Today, we support the following languages: Python (PyPI), Go (go modules), Typescript/Javascript (npm), Java (Maven), .NET (nuget).

The MCP server is tested and works with Cursor, Claude Code, Windsurf, VSCode, but can also run with very little tweaking in virtually every MCP client.

Let’s look at how it works inside Claude Code:

Step 1: Enable the MCP server 

 



Step 2: Profit

 

 

In the example above, the safe packages MCP server detected a vulnerability that can be fixed by simply upgrading the package. 

Had the package been a typosquat package, contained malware, or was unmaintained, the MCP server would have told the coding agent to find an alternative package for the reason specified. If stuck, it would consult the developer.

We live in exciting times. Unfortunately, these are dangerous times as well. This MCP server tackles one of the bigger risks. 

Happy agentic coding !

FinTech Global BoostSecurity article

DevSecOps automation platform BoostSecurity emerges from stealth

Image of BoostSecurity.io
BoostSecurity.io

BoostSecurity, a developer-first DevSecOps automation platform, has secured $12m for its seed...

Read more
DarkReading BoostSecurity article

BoostSecurity Emerges From Stealth With SaaS DevSecOps Platform

Image of BoostSecurity.io
BoostSecurity.io

Fresh startup BoostSecurity has an SaaS platform for developers and security teams that provides...

Read more