About amiexposed

Real-time, community-driven supply-chain breach intel for the packages you actually use.

The problem

When a wave like Shai-Hulud, the chalk/debug compromise, or the @antv hijack hits npm, security teams burn hours doing the same thing in parallel: pulling a package inventory off their fleet, then frantically grepping it against half a dozen vendor blog posts and GHSA pages to figure out whether they're exposed.

The data is public but fragmented — Socket, Snyk, Aikido, Wiz, CISA, GitHub Advisories, and others publish overlapping but never-identical lists, with different versions and different timing. By the time the official advisory lands, the worm has already done its thing.

How it works

Drop in a package inventory — first-class support for Perplexity's bumblebee NDJSON output, with lockfile and SBOM formats as secondary — and amiexposed tells you exactly which name@version pairs match a tracked compromise.

  • Confirmed exposure — exact matches against a vetted compromised-package record. Shown loudly.
  • Suggestions — matches against community-submitted but not-yet-confirmed reports. Shown softly so you're not flooded with FUD, but enough to investigate.

Privacy

Inventories are parsed in your browser when possible and not stored server-side by default. Terminal uploads via curl keep parsed triples in Cloudflare KV for 24 hours so you can share a result URL with your team — then they expire.

Stack

Astro + React on Cloudflare Workers, backed by ClickHouse via Tinybird for the lookup path. Built to be queried by a file upload, not by browsing.

Who's behind this

amiexposed is a project from Aztecknology.

Verify inventory →Report a breach
Community-driven supply-chain breach intel.A project from Aztecknology.