BUILDING IN PUBLIC · FIRST RELEASE IN 30 DAYS

Catch malicious dependency updates the moment they ship.

Marshal watches Maven Central, npm, and PyPI for behavioral signals of supply-chain attacks — maintainer takeovers, suspicious install scripts, obfuscated payloads, sudden version jumps — and blocks them at PR time, before they reach your build.

JVM-first. Self-hostable. Open-source CLI and GitHub Action.

We'll email you when the first release ships. No marketing, no sharing, unsubscribe in one click.

CVE scanners catch yesterday's vulnerabilities. They wait for a public disclosure that arrives weeks or months after the malicious version is already in production. Marshal watches behavioral signals — what changed in this release, who pushed it, what it does at install time — and flags risky updates the same day they appear in the registry.

Real-time, not retrospective.

Marshal flags suspicious package versions within minutes of publication, not weeks after a CVE is filed.

Blocks at PR time, not after deploy.

A GitHub Action gates every dependency update with a 0–100 risk score and a clear reason. Slack and email alerts included.

Self-hostable, audit-ready.

Run the watcher in your own infrastructure. Helps your team meet ISO 27001, EU Cyber Resilience Act, and DORA supply-chain monitoring obligations.

HOW IT WORKS

01

WATCH

Marshal monitors Maven Central, npm, and PyPI for new versions of every dependency in your repo.

02

ANALYZE

Each new version is scored 0–100 across 30+ behavioral signals: maintainer changes, install hooks, network calls, obfuscation, dependency surface area.

03

BLOCK

Risky updates fail your PR check with a clear reason. Safe updates pass silently. Slack and email alerts on critical findings.

A NOTE FROM THE FOUNDER

I'm Usman, building Marshal solo from Tilburg. I've spent the last decade writing Java for teams where "dependency security" meant a periodic CVE scan and a hope that nothing landed between sweeps. Marshal is the tool I wished existed.

The CLI and GitHub Action will be open-source from day one. The hosted watcher is how I keep the lights on. Follow along — I'm shipping the first release in 30 days and posting weekly progress.

— Usman

GitHub X / Twitter Product Hunt npm Bluesky

PRICING

Free for individuals and OSS projects.

The CLI and GitHub Action are open-source under the Apache 2.0 license. The hosted watcher starts at €29/repo/month for teams, with self-hosted Enterprise pricing for regulated organizations. Full pricing at launch.

Be there for v0.1.

Get an email when the first release ships. Roughly weekly notes between now and then. You can leave any time.

We'll email you when the first release ships. No marketing, no sharing, unsubscribe in one click.

By submitting, you agree to receive updates from Marshal. We use Buttondown to send emails. See our Privacy Policy.