On March 31, 2026, two fresh versions of axios showed up on npm — 1.14.1 and 0.30.4. Axios pulls something like 70 million downloads a week, so a lot of npm install commands picked them up before anyone noticed. The new versions quietly added a dependency called plain-crypto-js@4.2.1, which ran a postinstall script that pulled down a cross-platform remote access trojan — Windows, macOS, Linux, take your pick. Microsoft later pinned the infrastructure on Sapphire Sleet, a North Korean crew. The fix was to roll everything back to 1.14.0 or 0.30.3.
Here’s the part that should bother you: a CVE-based scanner wouldn’t have said a word. There was no advisory. There was no published vulnerability. The package wasn’t vulnerable — it was malicious, freshly so, and the entire industry’s default tooling is built to match version numbers against databases of things people already know are bad. Axios wasn’t alone, either. The same stretch of spring 2026 gave us compromised trivy and litellm packages, the Shai-Hulud worm chewing through hundreds of packages with over a hundred million monthly downloads between them, and a steady drip of credential-stealer packages typosquatting enterprise namespaces.
So a lot of engineering leads are now asking a sharper question than “do we have an SCA tool.” They’re asking: would the tool we pay for have caught this, and if not, what would? That’s the comparison I want to run — Socket, Snyk, Aikido, Endor Labs, Semgrep, plus GitHub’s built-in stuff as the baseline most teams actually start from.
Two different jobs that both got called “SCA”
The confusing thing about this category is that “software composition analysis” now means two genuinely different activities, and the tools are good at different ones.
Job one: known-vulnerability management. You have a dependency tree with thousands of packages. Some of them have CVEs. Which ones actually matter, which ones are reachable from your code, which ones can you ignore, and how do you stop the alert pile from burying your team? This is the classic problem, and it’s a real one — most teams drown in dependency alerts that don’t matter.
Job two: catching malicious or suspicious packages before they run. A package just got published, or updated, and it does something a package like that has no business doing — phones home on install, reads environment variables, runs an obfuscated blob, adds a network dependency that wasn’t there last week. Nobody’s filed an advisory yet because nobody knows. You need behavioral analysis, not a database lookup.
Snyk, Endor Labs, and Semgrep grew up doing job one and added various amounts of job two later. Socket was built from day one for job two. Aikido tries to do a bit of everything and stays cheap. None of them is purely one thing anymore, but the DNA still shows, and it matters a lot for which attacks they catch in time.
Socket — the one built for the attack we keep getting
Socket’s whole pitch is that it looks at what a package does, not whether it’s on a list. It analyzes install scripts, network access, filesystem access, obfuscated code, use of eval, shell calls, telemetry, dependency churn — and it does this on packages the moment they’re published, so a brand-new malicious version gets flagged before a CVE could possibly exist. In practice that’s the only model on this list that has a real shot at stopping something like the Axios RAT during the window when it’s actually dangerous.
It plugs in as a GitHub App that comments on PRs, a CLI, and CI gates. The PR experience is the good part: when someone bumps a dependency, Socket drops a comment saying “this update added a postinstall script and now talks to the network,” which is exactly the signal a reviewer needs and almost never has. It also does typosquat detection and “did you mean” warnings, which catches a surprising amount of dumb-but-effective attacks.
The catch is that Socket is narrower than the others. It’s a supply-chain-behavior tool, not a full AppSec platform — it does CVE scanning too now, but its SAST and IaC coverage isn’t the reason you’d buy it, and historically it’s been strongest in the npm/PyPI ecosystems where most of these attacks happen. If you want one tool to do everything, this isn’t it. If you want the tool most likely to catch the next plain-crypto-js, it is.
Snyk — the incumbent that everyone already has a contract with
Snyk is the default. It’s in your IDE, your CLI, your CI, your container registry, and probably your last three job descriptions. It does Open Source (SCA), Code (SAST), Container, and IaC, it has the biggest vulnerability database with a lot of curated advisories that beat the raw NVD feed, and it has reachability analysis to cut down on noise — does your code actually call the vulnerable function, or is it just sitting in the tree.
On the supply chain question, Snyk has gotten better — it does flag some malicious packages and suspicious behavior now — but its center of gravity is still known-vulnerability management. If you’re evaluating Snyk specifically because of the 2026 attack wave, go in with clear eyes: it’s a strong CVE machine that has bolted on some malware awareness, not a behavioral analysis engine.
The other thing to know is the pricing shape. Snyk bills per contributing developer — anyone who commits code that gets scanned — and the Team tier has historically capped at around 10 developers before you’re pushed up the ladder. The jump from “we’re a small team on the Team plan” to “we need Enterprise pricing” is steep, and it tends to arrive sooner than teams expect. Budget for the cliff.
Aikido — the all-in-one that stays cheap
Aikido is the “why are we paying for six tools” play. One platform: SAST, DAST, SCA, secrets detection, IaC scanning, container scanning, CSPM, plus malware detection in dependencies. The free tier is genuinely usable — two users, ten repos, a couple of container images, rescans every few days — which is more than most “free” security tools give you.
Paid plans start around $350/month, and that’s where the supply-chain-relevant stuff lives: PR security reviews, on-prem scanning, malware detection, higher repo and container limits (up to ~100 repos, ~25 containers on the lower paid tier), Jira and compliance integrations. It scales up from there toward five figures a month for bigger orgs, but the entry point is the cheapest serious option here.
What you trade for that breadth and price is depth. Aikido’s malware detection exists, but Socket’s behavioral analysis is more thorough and more focused; Aikido’s reachability story isn’t as developed as Endor Labs’; its SAST is fine but not best-in-class. It’s the right answer when “good enough across the board, one bill, one dashboard” beats “best at any single thing” — which for a lot of small-to-mid teams it does.
Endor Labs — for when the alert pile is the actual problem
Endor Labs went all-in on reachability. Function-level call-graph analysis across 40-plus languages, building a graph through your code, your dependencies, and your container images to figure out which vulnerabilities are actually exploitable in your app. The headline number they push is roughly a 97% reduction in SCA alerts, and for a big org buried in dependency findings, that’s not a vanity metric — it’s the difference between a security backlog people work and one they ignore.
It’s commercial-only. No free tier, no open-source component, and the pricing isn’t public — reported median annual contracts land around $35,000, give or take. That tells you the target customer: large engineering orgs (think 500+ developers) where alert fatigue is a real, expensive, measurable problem and a five-figure contract is rounding error against the engineering time it saves.
On the malware question, Endor does have supply-chain risk detection in the mix, but like Snyk, reachability and known-vuln triage is the heart of it. If your problem is “we get 4,000 dependency alerts and triage 40 of them,” Endor is the most direct fix on this list. If your problem is “a North Korean RAT shipped in our build last Tuesday,” it’s not the first tool I’d reach for.
Semgrep — SAST first, supply chain as a paid add-on
Semgrep is best known as the open-source static analysis engine — write rules that look like the code you’re trying to catch, run it free in CI. The OSS CLI is free forever. Semgrep Supply Chain (their SCA product) and Semgrep Secrets are the paid-only parts, bundled into the Team plan at around $35/contributor/month.
Semgrep Supply Chain’s differentiator is the same reachability idea Endor sells, applied to dependencies: instead of flagging every package with a CVE, it checks whether the vulnerable function is reachable from your code and marks the rest “unreachable” so it doesn’t drown the real findings. It supports a dozen languages across fifteen package managers. The appeal is consolidation around a tool a lot of teams already run for SAST — if Semgrep’s already in your pipeline, adding Supply Chain is a small step.
It’s the weakest of the five on pure malicious-package detection, though. Reachability assumes the package is vulnerable, not evil — a freshly published RAT isn’t in any advisory database, so there’s no CVE for reachability to reason about. Treat Semgrep Supply Chain as good CVE-noise reduction layered on a good SAST tool, not as your defense against the Axios scenario.
The GitHub baseline most teams actually start from
Before you buy anything: GitHub gives you Dependabot, dependency review on PRs, and the advisory database for free on public repos, and GitHub Advanced Security (now sold as separate “Code Security” and “Secret Protection” SKUs, priced per active committer — roughly the $20–$30/committer/month range as of 2026) adds code scanning and secret scanning. It also publishes provenance attestations and npm audit signatures so you can verify a package came from the repo and commit it claims to.
GitHub has also moved hard on the npm side of this in 2026: granular publish tokens cut down to a seven-day lifetime, trusted publishing via OIDC, mandatory 2FA for local publishing, and a staged-publishing review window so maintainers can catch bad changes before they go live. None of that is a scanner you run — it’s the registry getting harder to abuse, which helps everyone whether you pay for a tool or not. The honest take: Dependabot is fine for “this dependency has a CVE, here’s the bump PR,” and it’s worthless for “this dependency is malware.” It’s a floor, not a strategy.
The comparison, in one table
| Socket | Snyk | Aikido | Endor Labs | Semgrep | |
|---|---|---|---|---|---|
| Built for | Supply chain behavior | Known-vuln management | All-in-one AppSec | Reachability at scale | SAST + SCA add-on |
| Catches fresh malware (no CVE) | Yes — its core job | Partial, improving | Yes, decent | Partial | Weak |
| Reachability / noise cutting | Limited | Yes | Basic | Best in class | Yes |
| Install-time / behavioral analysis | Yes, deep | Some | Some | Some | No |
| SAST / IaC / containers / secrets | Light | Full | Full | Dep-focused | SAST strong, rest lighter |
| Free tier | Yes (small teams + OSS) | Yes (limited) | Yes (genuinely usable) | None | Yes (OSS CLI; SCA is paid) |
| Pricing model | Per contributor | Per contributing dev | Flat tiers from ~$350/mo | Custom, ~$35k/yr median | $35/contributor/mo (Team) |
| Best fit | npm/PyPI-heavy teams worried about attacks | Teams already invested in Snyk | Small/mid teams wanting one bill | 500+ dev orgs drowning in alerts | Teams already running Semgrep SAST |
Treat pricing as directional — every vendor on this list moves their pricing page around, and “per contributing developer” can mean wildly different bills depending on how they count. Get a quote, and read how they define a billable user before you sign.
What I’d actually pick
Solo dev or a small startup repo. Socket’s free tier plus GitHub’s free Dependabot, and turn on pnpm’s minimum-release-age default. That combination catches the dumb stuff, catches a lot of the malicious stuff, and costs nothing. Don’t buy an enterprise AppSec platform to guard a side project.
Mid-size product team, mixed ecosystems. Aikido if you want one tool and one bill and you’re tired of stitching things together — its breadth-for-the-price is hard to beat. Add Socket on top if you’re npm/PyPI-heavy and the 2026 attack wave is what’s keeping you up; the two don’t really overlap, and the combined cost is still reasonable.
You already run Snyk or Semgrep. Keep it — ripping out a tool that’s wired into everyone’s IDE is rarely worth it — but be honest that it’s a CVE engine, and put a behavioral layer (Socket) in front of dependency updates. That’s the gap, and it’s a cheap gap to close.
Big regulated enterprise, large dependency trees, alert fatigue is a budget line item. Endor Labs for the reachability and the alert reduction, plus a malware-aware layer, plus whatever your compliance framework forces you to check boxes on. The five-figure contract pays for itself in engineer-hours not spent triaging unreachable CVEs.
Monorepo with a half-dozen languages. Reachability matters most here because your alert volume is highest — Endor or Semgrep Supply Chain — but again, layer Socket for the install-time behavioral catch that reachability fundamentally can’t do.
The hardening that matters no matter what you buy
A scanner is a backstop. The cheap, boring controls do more:
- Turn on a cooldown. pnpm 11 defaults
minimumReleaseAgeto one day; npm hasmin-release-age(in 11.10.0+); Yarn has had it since late 2025. A one-day delay would have blocked Axios, Shai-Hulud, and the September 2025debug/chalkattack — all of which were detected and pulled within hours. This is the single highest-leverage thing on the list and it costs you nothing but a day’s lag on new releases. - Pin and lock. Commit your lockfile, install with
--frozen-lockfile/npm ci, and don’t let CI resolve fresh versions on every build. - Kill install scripts you don’t need.
npm config set ignore-scripts true, or pnpm’sallowBuilds/strictDepBuilds, and explicitly allow the handful of packages that genuinely need to build. Mostpostinstallpayloads die right here. - Use trusted publishing and verify provenance. Publish your own packages via OIDC, not long-lived tokens; verify attestations on what you pull where you can.
- Watch the diff, not just the version. The Axios attack added a new dependency in a patch release. A reviewer — or Socket’s PR comment — seeing “this bump added a package and a network call” is the whole game.
Pick a tool, sure. But if you only do one thing this week, set a dependency cooldown. It would have stopped most of what made 2026 a bad year, and you can do it before lunch.
Sources: Microsoft Security Blog — Mitigating the Axios npm supply chain compromise, Socket — Axios npm package compromised, The Hacker News — Axios supply chain attack, pnpm — Mitigating supply chain attacks, Socket — pnpm 11 supply chain protection defaults, GitHub Blog — Our plan for a more secure npm supply chain, Datadog Security Labs — The case for dependency cooldowns, Aikido Security — Pricing, Endor Labs — Pricing, Semgrep — Supply Chain, Semgrep — Pricing