Koidex helps you answer one question fast: "Is this safe to install?". Search extensions, code packages, and AI models across VS Code, JetBrains, npm, and Hugging Face. You can also install the Koidex IDE extension for real-time background scanning in Cursor and Windsurf. Free, no setup.
We’re the research team behind the discoveries of GlassWorm, ShadyPanda, and PhantomRaven, and we’ve seen how easily malicious code hides in “normal” developer tooling.
To prove how fast these blind spots get targeted, we ran a blunt test: we published a harmless lookalike VS Code theme and saw installs from large-company networks within 30 minutes. The industry knows these threats exist, but workflows haven’t changed. That was the moment we realized: “one-click install” needs “one-click due diligence.”
💡 What You Can Do With Koidex Today
🔍 Unified Search: One place to check VS Code, Chrome, JetBrains, npm, and Hugging Face, and more.
🧠 Behavior-Based Scoring: Focuses on what the code actually does, not just what the listing claims.
🧾 Readable Risk Summaries: Vulnerabilities, deep dependencies, permissions, and publisher signals.
🐟 Catch of the Day: Fresh suspicious or malicious items spotted in the wild.
👨🏻💻 Koidex IDE Extension: Scans installed extensions and flags risky installs in real time across VS Code, Cursor, Windsurf, VSCodium, and more.
Trust is the biggest hurdle for AI adoption right now. I've been focusing on "intent locking" to stop AI agents from adding unsolicited features or over-engineering code, but the security side is just as critical.
Is Koidex primarily looking at malicious code patterns, or can it also detect when an AI model starts behaving "off-spec" during long sessions? Great tool for the current ecosystem!
A product like this could help other startups overcome a trust barrier. Maybe we could put a "koidex badge" on our site to independently prove safety!
Congrats on the launch!
Huge congrats on launching a much-needed security layer for dev workflows. While the real-time IDE scanning and behavior-based scoring are fantastic for individual developer workstations, I’m curious about your broader enterprise roadmap. Do you have plans to integrate Koidex directly into CI/CD pipelines (like GitHub Actions or GitLab) to automatically block risky npm packages or malicious models before they even merge?
Behavior-based scoring is the right call. Most registry security tools just check known CVE lists, but the real danger is packages that pass all the obvious checks and do something unexpected at install time. Focusing on what the code actually does rather than what the listing claims is a much stronger signal.
The IDE extension scanning installed extensions in real time is a nice touch - most developers don't revisit what they've already installed. One question: how does the scoring handle packages with legitimate but unusual permission patterns? Something like a build tool that needs file system access and network calls could look suspicious by the same heuristics that catch actual malware.
I appreciate your team building this. It's unfortunate that we can't trust the store front for all of these tools to verify the safety and validity, but in these trying times where AI can build and ship useful tools that can have a malicious purpose undisclosed it is helpful to know what a new type of virus/malware scan is being actively developed to provide another level of safety to all.
The scoring feels opinionated in a good way. How do you balance “this needs broad permissions to work” vs “this is overreaching”?
This tool is seriously awesome. I’m always nervous about downloading sketchy extensions (but I still install them sometimes). I’m definitely using this from now on. Great job!
Love the idea of one-click due diligence. Finally, a tool that keeps developers safe without slowing us down! 👏
Love the “Catch of the Day” concept. How often is it refreshed, and what qualifies something to show up there?
Great launch!!!!!!! This is one of those “why doesn’t this already exist” products. Curious how you detect suspicious behavior without running the code on my machine?
Interesting. How do you find what is suspicious and what is safe though? What tech are you using on the backend? Asking to check the reliability.
Congrats on launching. MCP seems to be enterprise feature. Is there a pricing for enterprise?
How does it exactly work? I tried to input name of a chrome extension but it said "No items found matching your search". Does that mean it is not safe?
I installed the IDE flow in Cursor and it instantly showed a couple extensions I forgot I even had. That alone is worth it. Does it alert when an extension updates and changes behavior?
This is the first time I can quickly sanity check an extension without falling into a rabbit hole. Nice job. Do you update scores automatically when an extension releases a new version?
👋 Hey Product Hunt! I’m Amit, Co-founder of Koi.
Today we’re launching Koidex. It helps you quickly check whether a package, extension, or AI model looks safe before it enters your stack.
Try it here: Koidex → https://dex.koi.security/?ref=producthunt
📖 Why We Built It
We’re the research team behind the discoveries of GlassWorm, ShadyPanda, and PhantomRaven, and we’ve seen how easily malicious code hides in “normal” developer tooling.
To prove how fast these blind spots get targeted, we ran a blunt test: we published a harmless lookalike VS Code theme and saw installs from large-company networks within 30 minutes. The industry knows these threats exist, but workflows haven’t changed. That was the moment we realized: “one-click install” needs “one-click due diligence.”
💡 What You Can Do With Koidex Today
🔍 Unified Search: One place to check VS Code, Chrome, JetBrains, npm, and Hugging Face, and more.
🧠 Behavior-Based Scoring: Focuses on what the code actually does, not just what the listing claims.
🧾 Readable Risk Summaries: Vulnerabilities, deep dependencies, permissions, and publisher signals.
🐟 Catch of the Day: Fresh suspicious or malicious items spotted in the wild.
👨🏻💻 Koidex IDE Extension: Scans installed extensions and flags risky installs in real time across VS Code, Cursor, Windsurf, VSCodium, and more.
🎁 Product Hunt Launch Offer
First 200 registrants via the Product Hunt link get unlimited searches for 2 weeks. Sign up here: https://dex.koi.security/?ref=producthunt
🙏 What I’d Love Feedback On
What ecosystem should we evaluate next?
What’s the one signal you wish you had before installing something?
If you try it, drop a package, extension, or model you use and tell me if the rating matches your gut.
I’m here in the comments!