attach-guard
Supply chain security plugin for Claude Code. Blocks compromised packages before they're installed.
The Problem
Claude Code installs packages on your behalf — often without you reviewing each one. Existing security tools scan after the fact or rely on advisory prompts that Claude can skip. There is no open-source guardrail that sits directly in front of package install commands and blocks risky packages before they execute.
What attach-guard Does
attach-guard is a Claude Code plugin that intercepts package installation commands and evaluates them against policy before execution. It is not an advisory scanner. It is a hard enforcement boundary.
- Installs as a Claude Code plugin — no manual hook configuration needed
- Intercepts
npm install, pnpm add, pip install, go get, and cargo add commands via PreToolUse hooks
- Checks package scores, age, and alerts via Socket.dev
- Denies known malware and low-score packages automatically
- Asks for confirmation on gray-band packages
- Rewrites unpinned installs to safe pinned versions when possible
- Fails closed when the provider is unavailable
- Logs every decision to a local JSONL audit trail
Smart Version Replacement: Block Without Breaking Flow
Most security tools just say "no." attach-guard says "no, but here's a safe alternative."
When a risky version is blocked, attach-guard finds the newest version that passes policy and offers it as a replacement. Claude sees the safe alternative and can proceed immediately — your flow doesn't stop, it gets redirected to a safe path.
npm — axios v1.14.1 and v0.30.4 were compromised versions published via a hijacked maintainer account:
> npm install axios
attach-guard evaluates:
axios@1.14.1 --> DENY (supply chain score 40, below threshold 50 — compromised version)
axios@1.14.0 --> ALLOW (supply chain score 71, passes all policy checks)
Result: ASK + rewritten command
"npm install axios@1.14.0"
pip — litellm v1.82.7 and v1.82.8 were malicious versions published to PyPI:
> pip install litellm
attach-guard evaluates:
litellm==1.82.8 --> DENY (compromised version)
litellm==1.82.6 --> ALLOW (passes all policy checks)
Result: ASK + rewritten command
"pip install litellm==1.82.6"
These are real examples — attach-guard blocks compromised versions automatically based on their supply chain scores.
| Scenario | Example | Decision | What happens |
|---|
| Package is safe | npm install axios@1.14.0 | Allow | Install proceeds normally |
| Pinned to compromised version | pip install litellm==1.82.8 | Deny | Blocked — compromised version |
| Unpinned, latest is risky | npm install axios | Ask + rewrite | Safe alternative offered: axios@1.14.0 |
| All versions fail | malware-only package | Deny | Blocked with clear explanation |
This works across all supported ecosystems — the rewrite uses the native pinning syntax for each:
| Ecosystem | Unpinned command | Rewritten command |
|---|
| npm / pnpm | npm install axios | npm install axios@1.14.0 |
| pip | pip install litellm | pip install litellm==1.82.6 |
| Go | go get golang.org/x/net | go get golang.org/x/net@v0.25.0 |
| Cargo | cargo add serde | cargo add serde@=1.0.200 |
Your flow only fully stops when there is genuinely no safe version to offer.
Why a Hook, Not a Skill or MCP
attach-guard uses Claude Code hooks — not skills or MCP servers. The distinction matters:
- Hooks run automatically on every matching tool call. They enforce rules deterministically — Claude cannot skip or override them.
- Skills are instructions Claude follows when invoked. They guide behavior but cannot block actions.
- MCP servers provide advisory context. They inform but do not enforce.
Security enforcement requires interception at the tool-call boundary, before execution. Hooks are the only Claude Code extension point that guarantees this.
Installation
Quick Start: Claude Code Plugin
The fastest way to try attach-guard. Requires a Socket.dev API token (free tier available).
# Add the marketplace and install (one-time)
claude plugin marketplace add attach-dev/attach-guard
claude plugin install attach-guard@attach-dev
Or from within a Claude Code session:
/plugin marketplace add attach-dev/attach-guard
/plugin install attach-guard@attach-dev
During installation or enablement, Claude Code will prompt for your Socket API token (stored securely in your system keychain). Get a free token at socket.dev.