HacktronAI

HacktronAI / cull

Public

cull the compromised

19
0
100% credibility
Found Apr 03, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

A standalone tool that searches for known compromised versions of npm packages in local project files, online code repositories, and container images.

How It Works

1
📰 Hear about risky packages

You learn that some common software building blocks have been tampered with and could harm your projects.

2
📥 Get the safety checker

You download and set up this simple tool on your computer to hunt for those dangerous pieces.

3
🔍 Name the suspects

You list the specific risky package names and versions you want the tool to search for in your work.

4
Choose where to look
🏠
Your folders

Check files and folders on your own computer.

☁️
Online projects

Search through your shared code collections online.

🐳
App bundles

Inspect ready-made app packages and libraries.

5
Run the hunt

The tool quickly searches everywhere you chose and lights up any matches it finds.

See you're safe

You get a clear report showing what's clean, what's pinned safely, or any issues to fix, so your projects stay secure.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 19 to 19 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is cull?

Cull is a Python CLI tool that scans your infrastructure for compromised npm packages, like axios@1.14.1 or plain-crypto-js, to cull the compromised before they spread. Run `cull package@version` to check lock files (pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock), node_modules dirs, GitHub repos via code search, and Docker image layers—including local, GCR, and GAR registries. It flags exact bad versions versus safe pins, exits 0 for clean, 1 for infected, 2 for scan errors, using only Python stdlib.

Why is it gaining traction?

Zero dependencies mean no supply-chain risks—install via git clone, skipping PyPI entirely. Version-aware scanning across diverse targets like cull os github orgs or Docker layers sets it apart from basic lockfile checkers. Devs dig the one-liner checks for known vulns, with clear output distinguishing threats from pinned-safe versions.

Who should use this?

Node.js devs and DevOps engineers auditing projects or CI pipelines for compromised deps. Security teams scanning GitHub orgs, local dirs, or container registries like GCR before deploys. Infra ops handling Docker images who want quick confirmation on bad npm pins without heavy tools.

Verdict

At 19 stars and 1.0% credibility score, cull is early-stage with solid README docs but no tests or broad adoption—proprietary license limits contributions. Worth a git clone for targeted npm compromise hunts if you're in Node/Docker ecosystems; skip for general vuln scanning.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.