This product was not featured by Product Hunt yet. It will not be visible on their landing page and won't be ranked (cannot win product of the day regardless of upvotes).
Veln — every package, verified
Block bad npm and pip packages. Before they download.
Over 20 trust signals score every npm and pip install — CVEs, maintainer drift, install scripts, hidden payloads. Bad packages refused befoSupply chain attacks on npm and PyPI keep landing in production — usually hours before any threat feed catches up. Veln is a local proxy that scores every install against 20+ trust signals (CVEs, maintainer changes, install scripts, hidden payloads) before a single byte hits your disk. Same commands, same lockfiles, zero workflow change.
Hey Product Hunt 👋
Veln blocks malicious npm and pip packages before they download. Not after the install. Not after a threat feed flags them. Before.
The gap I kept coming back to: nearly every major npm and PyPI supply chain attack of the last few years exploited the same window — the hours (sometimes days) between a malicious version being published and any feed catching it. event-stream ran live for weeks in 2018. PyPI typosquats of `requests`, `boto3`, and `numpy` routinely live for days. During that window, your `npm install` trusts the registry completely. Nothing actually checks what you're pulling.
Veln runs as a local proxy. Every package gets scored against 20+ trust signals before a single byte reaches your disk — known CVEs, recent maintainer changes, install scripts, obfuscated payloads, suspicious tarball patterns, age of publish, and more. Brand-new versions sit in a cooling gate until they've earned trust. Previously-seen packages clear from the local cache in under 50ms. When Veln blocks, it names the exact signal that fired — file, line, reason. No vague "suspicious activity detected."
A few deliberate calls:
- Same commands, same lockfiles, zero workflow change. `npm`, `yarn`, `pnpm`, `bun`, `pip`, `uv`, `poetry`, `pipx` — all unchanged. `npm ci` and `pip install -r requirements.txt` work normally.
- $4.99 per license per month, drops to $3.99 once an org passes 50 licenses. One plan, no free tier. Security tooling needs to be sustainable, and free tiers attract exactly the wrong incentives in this space.
- Works on Linux, macOS, and Windows. Per-machine licensing.
If you've ever copy-pasted an install command without thinking — whether it came from a Stack Overflow answer, a README, a coworker's Slack message, or a coding agent — Veln is the layer you didn't know was missing.
Would love feedback on three things specifically: the local proxy install flow, the cooling gate timing on fresh publishes, and whether the block messages give you enough to act on without spelunking. Happy to AMA on any of the boring infrastructure stuff too.
Nice launch, Pavle. Wild timing with the Shai-Hulud npm attack today.
Curious what your take is on it. From your perspective, was this mostly a case of teams needing better package verification before install, or does it point to a deeper trust problem with the npm ecosystem itself?
About Veln — every package, verified on Product Hunt
“Block bad npm and pip packages. Before they download.”
Veln — every package, verified was submitted on Product Hunt and earned 17 upvotes and 4 comments, placing #37 on the daily leaderboard. Over 20 trust signals score every npm and pip install — CVEs, maintainer drift, install scripts, hidden payloads. Bad packages refused befoSupply chain attacks on npm and PyPI keep landing in production — usually hours before any threat feed catches up. Veln is a local proxy that scores every install against 20+ trust signals (CVEs, maintainer changes, install scripts, hidden payloads) before a single byte hits your disk. Same commands, same lockfiles, zero workflow change.
Veln — every package, verified was featured in SaaS (42.2k followers), Developer Tools (512.9k followers) and Tech (624.1k followers) on Product Hunt. Together, these topics include over 277k products, making this a competitive space to launch in.
Who hunted Veln — every package, verified?
Veln — every package, verified was hunted by Pavle. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
Want to see how Veln — every package, verified stacked up against nearby launches in real time? Check out the live launch dashboard for upvote speed charts, proximity comparisons, and more analytics.
Pavle