Open source · eBPF · Apache-2.0

Know which dependency did it.

The kernel can tell you a process read a secret or connected to a new host. Goodman tells you which npm package — and which version — did it, and alerts the moment a dependency does something it has never done before.

Runs on your cluster · Helm install in minutes · detection-first, no agents in your code

goodmanctl — alerts tail

$ goodmanctl alerts tail

CRITICAL dependency behavior drift

service · checkout-api

package · [email protected]

+ NEW CONNECT 169.254.169.254:80

+ NEW POST git-tanstack.com/collect

baseline 1.169.4 · learned over 41 days · 0 prior anomalies

→ attributed to package in 2m 41s. your scanner is still green.

84

malicious versions published from one compromised release pipeline

6 min

the malicious code ran inside a legitimate pipeline before anyone noticed

0

static scanners flagged it — the only signals were behavioral, at the kernel

The 2026 npm supply-chain attacks (TanStack, Axios, Shai-Hulud) all shared one trait: install-time checks were green while runtime behavior changed.

54-second demo

From syscall to package name

Watch Goodman learn a baseline, catch a poisoned version reading credentials, and name the exact package — live in the dashboard.

What it catches

Built for dependency behavior drift

Scanners judge what a package might do. Goodman watches what it actually does in your production workloads.

Secret & credential reads

A package version that starts reading tokens, SSH keys, .npmrc, or cloud credentials it never touched before.

New outbound connections

A dependency that suddenly talks to cloud metadata (169.254.169.254) or an exfil host that isn't in its baseline.

Unexpected process execution

A package update that adds execve where the learned baseline had none — the classic install-script backdoor.

Any behavioral drift

Every new canonical behavior is diffed against the per-(service, package, version) baseline and scored by risk rules.

How it works

Kernel truth, package-level answers

One privileged sensor per node, one collector, one dashboard. Attribution is conservative by design — Goodman reports <unknown> rather than guess a package name.

01

Capture

CO-RE eBPF hooks open, connect, and execve on watched Node processes and records the user-space stack. No code changes, no sidecars.

02

Attribute

Stack addresses resolve through V8 perf maps to the deepest node_modules frame — mapped to its exact package.json version.

03

Fingerprint

Events canonicalize into stable behaviors like READ node_modules/pkg/** or CONNECT 169.254.169.254:80, learned per service, package, and version.

04

Diff & alert

Live behavior is compared to the learned baseline. New behavior plus a high-risk rule match becomes an alert that names the package.

Where it sits

Complementary to your scanner — not a replacement

Supply-chain defense is layered. Goodman is the runtime layer that keeps working after everything upstream said the package was fine.

Before install

Registry & SCA scanners

Judge packages by static analysis and metadata before they land in your lockfile. Necessary — but the TanStack versions passed.

At build time

CI/CD hardening

Pin dependencies, restrict egress in builds, delay upgrades. Closes the install window — does nothing once poisoned code is running.

At runtime

Goodman

Watches what dependencies actually do in production and attributes every anomaly to a package@version. The layer the 2026 attacks proved was missing.

Open source

Apache-2.0. Runs on your cluster.

The sensor, collector, dashboard, and Helm chart are all open. Your syscall data never leaves your infrastructure. SQLite for a laptop, Postgres for production, Prometheus metrics and an SSE stream built in.

Try it locally — no root needed

git clone https://github.com/hi-heisenbug/goodman
cd goodman && make demo

Install on Kubernetes

scripts/install-k8s.sh --cluster prod
scripts/enable-node-attribution.sh -n checkout --all

FAQ

Common questions

What is Goodman?
Goodman is an open-source runtime dependency-security sensor. It uses eBPF to capture security-relevant Linux syscalls, attributes each one to the exact npm package and version that caused it, learns a behavioral baseline per service, package, and version, and alerts when a dependency starts doing something it has never done before.
How is this different from a dependency scanner (SCA)?
Scanners judge what a package might do before you install it — static analysis, registry metadata, known CVEs. Goodman watches what dependencies actually do in production. The 2026 TanStack and Axios attacks passed every scanner; the malicious behavior only appeared at runtime. The two layers are complementary, and we recommend running both.
How is this different from Falco or other eBPF runtime security tools?
Generic runtime tools tell you a process opened a file or connected to an IP. Goodman resolves the user-space stack through V8 perf maps and tells you which npm package inside that process did it — for example [email protected], not just node. Package-level attribution is the core difference.
Does it slow down my production workloads?
The sensor uses CO-RE eBPF tracepoints on file open, network connect, and process exec for watched processes only. Node attribution uses V8 perf maps enabled with one NODE_OPTIONS environment variable. Overhead is designed to be low enough for production; you can scope watching to specific namespaces or deployments.
Does my data leave my infrastructure?
No. Goodman is fully self-hosted: the sensor, collector, dashboard, and storage (SQLite or Postgres) all run on your cluster. Syscall data never leaves your infrastructure.
Can attribution be wrong?
Goodman is deliberately conservative: when it cannot resolve a syscall to a package with confidence, it reports <unknown> rather than guess. Incorrect attribution is worse than no attribution.
Does it block attacks or only detect them?
Detection-first in v1. Goodman observes, attributes, fingerprints, and alerts — it does not block or sandbox. Blocking on kernel-level signals without high-confidence attribution causes outages; we are building trust in the signal first.
What does it cost?
The software is free and open source under Apache-2.0. Heisenbug offers paid design-partner pilots that include deployment on your cluster, rule tuning, and a weekly dependency-behavior report. Email [email protected].

Design partners

We are taking three design partners

We deploy Goodman on your cluster, tune the rules, and walk you through a dependency-behavior report every week. You get the runtime layer done for you — we get your criticism.

Not ready to talk? Get the supply-chain research and release notes.