Hunted Labs is introducing DepsDiver, a new class of dependency security focused on uncovering foreign influence and code repository risk early and providing package alternatives.
Dependency Risk Has Changed
Open source is the foundation of modern software, but dependency decisions no longer happen the way security teams assume they do.
In practice, most dependencies aren’t consciously selected or reviewed upfront. Package managers resolve libraries automatically. CI/CD pipelines pull in components during builds. Code assistants suggest and introduce open source packages as code is written. In turn, dependencies are often adopted implicitly, reused across projects, and buried several layers deep before anyone pauses to ask whether they should be trusted.
As a result, trust decisions are being made rapidly and with code assist, they are sometimes bypassing risk assessment entirely and automatically included in your build.
DepsDiver fixes that by providing risk informed threat intelligence about who maintains a project, how stable maintainership is, or whether control has changed in ways that introduce risk amongst others.
DepsDiver: Control-First Dependency Security
DepsDiver brings intentionality to dependency risk decisions by giving teams visibility into who controls an open source project and how that control has changed over time. Instead of waiting for vulnerabilities to be disclosed, DepsDiver evaluates open source projects using signals that determine long-term risk, not just short-term exposure.
These signals fall into three core areas:
- Project health: Is the project actively maintained, or showing signs of decay, abandonment, or superficial activity that increase takeover risk?
- Maintainer behavior: Who is contributing today, has that changed over time, and do shifts in maintainership introduce new trust or stability concerns?
- Control and influence: Are there changes in ownership, governance, or contributor influence that alter who ultimately controls the project? What is the percentage of foreign influence with your dependencies?
How DepsDiver Works
Dependency risk forms while code is being written. That’s why DepsDiver is available both as a hosted platform and an IDE extension, DepsDiver Assist. The platform provides deep, pre-adoption intelligence, while the DepsDiver Assist extension brings the same control and trust signals directly into developer workflows at the moment dependencies are introduced.
The platform supports deep analysis of packages, repositories, contributors, and domains during evaluation and design. The IDE extension surfaces those same risk signals inside local workflows as dependencies are added, highlighting issues and suggesting safer alternatives in real time, including when working alongside AI code assistants.
Furthermore, this integration allows users to work natively with any AI code assist tool, providing sourced alternatives to high-risk dependencies so users can use other pieces of open source that are more secure and still meet their build needs.
Users can tailor DepsDiver’s alerts to be as lenient or as stringent as their enterprise requires.
Make Dependency Trust Explicit
DepsDiver is the result of Hunted Labs’ research into open source risk in the wild — not in theory, not in postmortems, but as it actually forms across real projects, real maintainers, and real shifts in control. The most consequential risks rarely begin as vulnerabilities. They begin as changes in trust: a project losing maintainers, ownership quietly shifting, influence consolidating in ways defenders never intended.
DepsDiver is giving teams control-first dependency intelligence before adoption by changing how trust decisions are made — from a reactive to proactive view that overhauls disparate data into threat informed intelligence. This is the new foundation for how dependency risk is built, understood and executed into the daily lives of developers.
Secure your dependencies with DepsDiver. The first 7 days are on us. →
DepsDiver FAQs
Q: What is DepsDiver?
A: DepsDiver is Hunted Labs’ control-first dependency intelligence platform. It helps teams determine whether an open source dependency can be trusted before it becomes embedded in their systems by analyzing who controls a project, how that control is changing, and what it means for long-term risk.
Q: How do I get started with DepsDiver?
A: Getting started is easy. DepsDiver is available via a fully hosted platform or IDE extension, and can be accessed immediately with a 7-day free trial. A credit card is required to start, and you won’t be charged unless you continue after the trial. Everything including access, tokens, and account management lives directly inside DepsDiver.
Q: Who is DepsDiver built for?
A: DepsDiver is designed for security teams, platform teams, and defenders responsible for software supply chain risk, especially in environments where trust, control, and governance matter as much as vulnerabilities.
Q: What types of risk does DepsDiver identify?
A: DepsDiver surfaces risk signals related to:
- Maintainer turnover and shifts in contributor influence
- Declining or superficial project activity
- Ownership or governance changes
- Indicators of foreign or external influence
These factors affect whether a dependency can be trusted over time, not whether a specific flaw is exploitable.
Q: When should teams use DepsDiver?
A: DepsDiver is designed for pre-adoption and early decision-making, including:
- Evaluating new dependencies before adoption
- Reassessing existing dependencies as control changes
- Performing ad-hoc investigations during design or review
It helps answer a simple question – should we trust this dependency?
Q: Does DepsDiver require an SBOM?
A: No. DepsDiver can analyze dependencies directly using package identifiers or repository data. This enables fast, ad-hoc investigations without requiring an SBOM or local scanning.
Q: How does DepsDiver relate to Entercept?
A: DepsDiver provides pre-development intelligence about external dependencies. Entercept focuses on monitoring and securing the software you build and run. Together, they provide visibility across the full software lifecycle from dependency selection to production monitoring.
