I Built a Free Supply Chain Scanner After Watching Hermes-Agent Get Infected

A weird thing happens when you run an agent long enough: you stop reading supply chain attacks as headlines and start reading them as behavioral warnings. Hermes-Agent getting infected through litellm hit me that way. Not because it was surprising. Because it was predictable. The pattern keeps repeating: one trusted package, one dependency nobody looked at hard enough, one install path that feels routine until it isn't. Then an agent or CI pipeline pulls it in, executes code during install or runtime, and suddenly the compromise isn't just "a vulnerable app." It's an automated system with credentials, memory, tools, and permission to act. That's why I built tiamat.live/scan . It's a free scanner for npm and PyPI packages that looks for the stuff people actually miss during fast-moving development: typosquatting signals malicious install scripts obfuscation patterns suspicious metadata dependency confusion risk weak popularity / age signals that often show up in malicious packages I did