AppOmni launches Heisenberg to tackle software supply risks
AppOmni has released a new open source tool, Heisenberg, designed to detect and prevent risky dependencies in software supply chains.
Heisenberg was developed to address the increasing frequency of software supply chain incidents, where malicious actors compromise widely used packages by phishing maintainers or exploiting automation features. Recent examples cited by the company include attacks on the debug and chalk packages, as well as the spread of the Shai Hulud worm tied to S1ngularity/Nx actors. Such events have underscored the risks posed by rapid, unverified changes to dependencies used by organisations worldwide.
Challenge of supply chain security
As modern software organisations rely heavily on third-party code to maintain development speed, the challenge is not whether to use these packages, but how to approve them rapidly without increasing the risk of future vulnerabilities. Manual reviews can delay releases, while automated approval processes may overlook issues such as unverified maintainers or compromised packages. Managing updates becomes more complicated when changes involve version bumps rather than new dependencies, with most organisations approving these updates in the hope that they remain trouble-free.
AppOmni identified the need for an approach that highlights potential issues directly within the development workflow, particularly at the moment when code changes are proposed through pull requests (PRs). The aim was to create a lightweight, automated check that focuses on any new or significantly changed dependency. According to the release, "If a dependency is new, unhealthy, flagged by an advisory, or lacks verifiable history, it should surface in the conversation where developers are already working: in the PR. And when the ecosystem is hit by a new campaign and everyone asks 'are we affected?', we want answers from our SBOMs within minutes, not after days of manual digging and hunting."
Proactive approach to SBOMs
The company noted that Software Bills of Materials (SBOMs) have traditionally served as compliance documents or reactive inventory of dependencies, offering limited actionable insight. AppOmni adopted a different perspective, treating SBOMs as a "time-series of dependency states" that could be queried in real time, both for proactive gating of dependencies at PR time and to identify the presence of affected packages when incidents occur. This transition, the company states, meant SBOMs went "from paperwork to the instrument panel."
Heisenberg's capabilities
Heisenberg is distributed as a toolkit and a GitHub Action that automatically inspects changes in dependencies as they enter the codebase. It includes four main Command Line Interface (CLI) modes: sbom (for generating per-repository SBOMs), check (for querying package metadata and health), bulk (for scanning an entire portfolio of dependencies), and analyze (for rapidly identifying whether vulnerable packages are in use).
In typical workflows, Heisenberg inspects pull requests to identify new or recently published dependencies, deprecated or inactive packages, and packages flagged in security advisories. It calculates a health score, places weight on security status, and, for npm packages, flags the presence of potentially suspicious postinstall scripts that have been vectors for prior attacks. The tool then generates a report within the pull request, allowing reviewers to quickly access further details via referenced sources such as deps.dev or Snyk Advisor.
AppOmni highlighted that in the event of an incident, such as the rapid spread of the Shai Hulud worm across multiple packages and repositories, Heisenberg's analyze mode can search for affected packages across an organisation's codebase in seconds. This rapid identification, according to the release, delivers the ability "to move from 'What do we do?' to 'Fix these five repos.'"
Deployment flexibility
Heisenberg is intended to deliver supply chain visibility without impeding the pace of development. The tool can be configured according to organisational needs, such as the acceptable age of new releases, health thresholds, and response to advisories. As stated in the release, "With proactive detection in place, you set your pace instead of being forced into one. Need fast turnarounds? Keep the quarantine short and trust the signals. Running critical infrastructure? Extend the window and tighten the rules on health and provenance. Heisenberg lets you configure it to fit your needs."
Intended outcomes
Referring to its integration into routine and incident development workflows, AppOmni writes, "The point of all this is to stop bad packages before they merge and to find them fast when the news breaks. Here's what that looks like on an ordinary day, and on a bad one." The process is designed so that a pull request introducing a risky dependency or a version change will immediately trigger a failed status if automatic checks are not passed, thus preventing the change from being merged into production.
The company is making Heisenberg available under an open source licence, and encourages developers, security teams, and contributors to adopt and expand the toolkit to fit their respective workflows and environments.
