Great question! No, Phantom Guard won't flag legit packages like openai, langchain-openai, or gpt-engineer.
The primary signal is whether the package exists on the registry. We query PyPI/npm directly:
- If a package exists → it gets a low/safe risk score
- If a package doesn't exist → that's the main red flag for slopsquatting
Pattern matching (like AI-related terms) is just one of many weighted signals, and it's far outweighed by existence. In fact, popular packages get a negative weight that actively reduces their risk score.
The attack we're detecting is when an LLM hallucinates a package name like flask-gpt-utils that sounds plausible but doesn't exist. A real attacker could then register that name and wait for developers to pip install it.
We test against the top 1000 PyPI packages and target <5% false positive rate. If you're importing openai or transformers, you're fine.
I built a vector database that runs entirely in WebAssembly. No server, no API calls, no data leaves the browser.
Why? Most vector DBs require a server. If you're building privacy-sensitive apps (medical notes, legal docs, personal journals) or offline-first tools, that's a problem. EdgeVec solves it.
What it does:
- Semantic search on embeddings from OpenAI, Cohere, HuggingFace, etc.
- Binary quantization: 32x memory reduction (1M vectors in ~125MB)
- SIMD acceleration: 8.75x faster Hamming distance
- IndexedDB persistence: index survives page reloads
- Filter expressions: SQL-like metadata queries
Technical details:
- 220KB gzipped, 494KB raw
- Chrome 91+, Firefox 89+, Safari 16.4+
- Brute force search (HNSW coming in v0.8)
- MIT licensed