An experimental open-source supply-chain security project. We use agentic LLM systems to surface compromised packages — backdoored plugins, hijacked dependencies, malicious updates — and coordinate their disclosure. Findings are published here only once the vendor has had a chance to fix.
02 Disclosure policy
We report issues privately to the affected vendor and give them 90 days to ship a fix before anything is published. The clock starts on first contact. If a vendor responds quickly, asks for more time in good faith, or the issue is already being exploited in the wild, we adjust the timeline accordingly. Technical detail stays embargoed until disclosure.
03 Team
- Eu Joe model, evals, pipeline
- Damien Wong triage, manual review
- Others TBD
04 Contact
Reports, questions, or coordination: joe@cooties.io. A PGP key is available on request for sensitive material.