An isolated VM keeps a poisoned package off your laptop. But the agent still runs npm install on your say-so, and a malicious postinstall fires inside the box you just handed real credentials to. 2.2.0 moves the defense to the one place the agent can't reach around: the proxy every package download already crosses on its way out of the VM.

New

Supply Chain — every package scanned before it lands. The proxy that already brokers your credentials now inspects every package the agent fetches — npm, pip, cargo — before it's allowed through. It runs at the VM boundary, so it holds even when the agent rewrites .npmrc, points pip at a private mirror, or --registrys its way around your config. The scan happens where the agent can't cross.
A cooldown the VM can't talk its way past. Compromised versions usually get yanked within hours of being noticed — but those first hours are exactly when an agent might pull one. Bromure quarantines anything published in the last two days (tunable) and enforces it at the boundary, so a freshly uploaded malicious release simply isn't installable, no matter what the config inside the VM says.
Two scanners, two kinds of threat. OSV catches known CVEs above the severity threshold you set. socket.dev catches what the CVE databases haven't yet — rogue install scripts, malware-flagged code, typosquats, packages that quietly phone home. A flagged release is blocked before it ever reaches node_modules.
Install scripts, stripped on the fly. preinstall, install, postinstall, and prepare are where supply-chain payloads actually execute. Bromure rewrites the tarball, removes the script hooks from package.json, and fixes the metadata hash so the install still verifies. Native builds that genuinely need them — better-sqlite3, node-canvas — go on a short allowlist; everything else installs inert.

Bromure's supply-chain protection was Guillaume Valadon's idea — thank you, Guillaume.

Bromure Agentic Coding is free and open source. Grab 2.2.0 on the downloads page, or learn more on the Agentic Coding page →.