Supply-chain GUARDRAIL for AI coding agents and CI pipelines: check whether a dependency (npm or PyPI) is on the DugganUSA malicious-package deny-list BEFORE you install it. This is the runtime defense against slopsquatting / HalluSquatting / hijacked-package attacks — an AI agent about to run `npm install` or `pip install`, or a CI pre-install hook, calls this FIRST and blocks on a hit.
Returns a crisp, machine-actionable verdict: {ecosystem, package, version, malicious, verdict:"block"|"allow"|"review", reason, advice, source}. `malicious:true` = the exact package is on our OSV-curated deny-list (215k+ named-not-heuristic entries across npm + PyPI). `malicious:false` = not on our known-bad list — absence is NOT proof of safety, so still pin and review new deps. If a `version` is supplied and the entry is version-scoped, the check is version-aware; all-versions-malicious packages block on any version.
Designed to be the easiest AI-supply-chain guardrail to wire in: one MCP tool call, no auth, in the agent's pre-install step. Same data is available for CI at /api/v1/stix-feed/packages.json.
Examples: {"ecosystem":"npm","name":"cxp-jquery"} → malicious:true, verdict:block. {"ecosystem":"pypi","name":"requests"} → malicious:false, verdict:allow.