Reality check for AI-generated code.
Munack is a deterministic, local-first scanner that looks for potentially hallucinated packages, SDKs, imports, frameworks, dependencies, and slopsquatting risk by comparing what it finds in a project against public package registries.
Munack catches hallucinated packages, fake imports, invented SDK references, and suspicious AI-generated dependencies before they hit production.
Best short positioning:
Reality check for AI-generated dependenciesCatch hallucinated packages before they hit production
See docs/WHY_MUNACK.md for the short public explanation of why Munack exists.
Without Munack, generated code can reference package names that look plausible but do not exist in the expected registry.
With Munack, those references are surfaced as suspicious or not_found before they silently reach CI, PR review, or production release workflows.
Munack verifies package existence against:
npmPyPIcrates.ioPackagist
- samples/adversarial-polyglot-suite
- samples/adversarial-namespace-suite
These samples intentionally mix real and hallucinated package references across JavaScript, Python, Rust, and PHP.
- adversarial polyglot suite:
14 exists,8 suspicious - adversarial namespace suite:
4 exists,2 suspicious
See docs/BENCHMARK_RESULTS.md for the current reproducible benchmark summaries.
- Scans dependency manifests and lockfiles for JavaScript, Python, Rust, and PHP ecosystems
- Scans import statements in JS, TS, Python, Rust, and PHP where the mapping is practical
- Checks existence against
npm,PyPI,crates.io, andPackagist - Classifies findings as
exists,not_found,suspicious, orunknown - Supports project config via
.munackrc.jsonorpackage.json#munack - Supports
markdown,json, andsarifoutput formats for CLI and CI usage - Works fully locally except for public registry existence checks
- Never uploads source code or requires any AI/cloud model
packages/munack-core- shared discovery, registry, licensing, caching, and report enginepackages/munack-cli- CLI for terminals and editor-integrated terminalspackages/munack-vscode- VS Code-compatible extension for VS Code family editorsdocs/- release and upload documentationsamples/- sample projects used for smoke testing
package.jsonpackage-lock.jsonpnpm-lock.yamlyarn.lockrequirements.txtpyproject.tomlPipfileCargo.tomlcomposer.jsonimport/require/from/usestatements in JS, TS, Python, and Rust
Install the public CLI:
npm install -g munack-cliBuild the workspace:
npm install
npm run buildRun the CLI directly from the repo:
node .\packages\munack-cli\dist\index.js scan .
node .\packages\munack-cli\dist\index.js scan .\samples\hallucinated-mixed
node .\packages\munack-cli\dist\index.js scan .\samples\adversarial-polyglot-suite
node .\packages\munack-cli\dist\index.js scan . --format sarif --fail-on not_found,suspicious
node .\packages\munack-cli\dist\index.js check react --registry npm
node .\packages\munack-cli\dist\index.js doctorFast evaluation path:
munack scan .
munack scan .\samples\adversarial-polyglot-suite
munack scan .\samples\adversarial-namespace-suiteOptional project config:
{
"includeCodeImports": true,
"ignoreDirs": [".cache", "generated"],
"registryTimeoutMs": 8000,
"registryConcurrency": 8
}Munack is already set up to fit CI and marketplace-grade release workflows.
- SARIF output is supported from the CLI
- GitHub Actions workflow files already exist in
.github/workflows --fail-oncan make CI fail onnot_foundandsuspicious
Example:
node .\packages\munack-cli\dist\index.js scan . --format sarif --output .\reports\munack.sarif
node .\packages\munack-cli\dist\index.js scan . --fail-on not_found,suspicious- Free:
5scans per month - Pro:
$9/month, unlimited scans, export report - Team:
$19/month, same behavior as Pro in v1 with plan metadata prepared
License status and usage are cached locally under the user config directory at ~/.munack/state.json.
The extension contributes these commands:
Munack: Scan ProjectMunack: Check Current FileMunack: Activate LicenseMunack: License Status
Build the extension and package a VSIX:
npm run test:extension
npm run package:vsixGenerated file:
packages/munack-vscode/dist/munack-0.1.6.vsix
Marketplace assets and screenshots live under:
packages/munack-vscode/mediapackages/munack-vscode/media/screenshots
Theia helper launcher:
.\scripts\launch-theia-with-munack.ps1CLI target users:
- JetBrains
- Visual Studio
- Sublime Text
- Zed
- Neovim
- Emacs
- Terminal users
VS Code-compatible target editors:
- VS Code
- Cursor
- Windsurf
- VSCodium
- Theia
See docs/BENCHMARKS.md for benchmark design and docs/BENCHMARK_RESULTS.md for current results. See docs/QUICKSTART.md for the fastest public evaluation path.