Know if a package, extension, or AI model is actually safe
Koidex helps you answer one question fast: "Is this safe to install?". Search extensions, code packages, and AI models across VS Code, JetBrains, npm, and Hugging Face. You can also install the Koidex IDE extension for real-time background scanning in Cursor and Windsurf. Free, no setup.
We’re the research team behind the discoveries of GlassWorm, ShadyPanda, and PhantomRaven, and we’ve seen how easily malicious code hides in “normal” developer tooling.
To prove how fast these blind spots get targeted, we ran a blunt test: we published a harmless lookalike VS Code theme and saw installs from large-company networks within 30 minutes. The industry knows these threats exist, but workflows haven’t changed. That was the moment we realized: “one-click install” needs “one-click due diligence.”
💡 What You Can Do With Koidex Today
🔍 Unified Search: One place to check VS Code, Chrome, JetBrains, npm, and Hugging Face, and more.
🧠 Behavior-Based Scoring: Focuses on what the code actually does, not just what the listing claims.
🧾 Readable Risk Summaries: Vulnerabilities, deep dependencies, permissions, and publisher signals.
🐟 Catch of the Day: Fresh suspicious or malicious items spotted in the wild.
👨🏻💻 Koidex IDE Extension: Scans installed extensions and flags risky installs in real time across VS Code, Cursor, Windsurf, VSCodium, and more.
👋 Hey Product Hunt! I’m Amit, Co-founder of Koi.
Today we’re launching Koidex. It helps you quickly check whether a package, extension, or AI model looks safe before it enters your stack.
Try it here: Koidex → https://dex.koi.security/?ref=producthunt
📖 Why We Built It
We’re the research team behind the discoveries of GlassWorm, ShadyPanda, and PhantomRaven, and we’ve seen how easily malicious code hides in “normal” developer tooling.
To prove how fast these blind spots get targeted, we ran a blunt test: we published a harmless lookalike VS Code theme and saw installs from large-company networks within 30 minutes. The industry knows these threats exist, but workflows haven’t changed. That was the moment we realized: “one-click install” needs “one-click due diligence.”
💡 What You Can Do With Koidex Today
🔍 Unified Search: One place to check VS Code, Chrome, JetBrains, npm, and Hugging Face, and more.
🧠 Behavior-Based Scoring: Focuses on what the code actually does, not just what the listing claims.
🧾 Readable Risk Summaries: Vulnerabilities, deep dependencies, permissions, and publisher signals.
🐟 Catch of the Day: Fresh suspicious or malicious items spotted in the wild.
👨🏻💻 Koidex IDE Extension: Scans installed extensions and flags risky installs in real time across VS Code, Cursor, Windsurf, VSCodium, and more.
🎁 Product Hunt Launch Offer
First 200 registrants via the Product Hunt link get unlimited searches for 2 weeks. Sign up here: https://dex.koi.security/?ref=producthunt
🙏 What I’d Love Feedback On
What ecosystem should we evaluate next?
What’s the one signal you wish you had before installing something?
If you try it, drop a package, extension, or model you use and tell me if the rating matches your gut.
I’m here in the comments!