Hunted Labs’ DepsDiver Assist combats the hidden risk in AI-assisted coding: copilots that indiscriminately insert open source dependencies containing foreign-influenced code from adversarial nations.
Embedded directly in your development environment, DepsDiver scrutinizes every package in real time, highlights dangerous contributions, and automatically suggests safe alternatives. You get security without sacrificing speed while also removing foreign ownership, control, or influence (FOCI) risk in seconds.
AI coding tools optimize for one thing: speed. Security? That’s only factored in if you explicitly prompt for it. And even then, the LLM doesn’t have visibility into supply chain risks like FOCI, typosquatting, or maintainer account takeovers. This leaves the door wide open to malicious threats. Tools like Claude Cede, Codex, and GitHub Copilot suggest dependencies based on popularity and functionality, not on who controls them.
The future of secure development requires tooling that rigorously scrutinizes every dependency to build software protected against all adversarial contributions. DepsDiver Code Assist is meeting the moment by merging coding speed with essential security in software development.
DepsDiver Assist In The Wild
Let’s see how much adversarial foreign influence is hiding in everyday code and how fast DepsDiver can fix it.
I asked ChatGPT to create a simple Golang CLI tool that prints “Hello” to my terminal. In seconds, I had working code with a clean file structure. The application worked perfectly. It also pulled in a few open source dependencies to handle basic functionality. That’s where the problems started.
Get the FOCI Outta Here
With my tool outlined, I installed the DepsDiver Code Assistant and added my DepsDiver API key (setup took about 2 minutes—see instructions here.)
Immediately, red squiggly lines appeared under some dependencies. Here’s what I saw:
What does this mean? Three key things:
- This package exceeds acceptable FOCI risk. It’s highlighted because 36.3% of the code was developed in adversarial nations, specifically Russia and China.
- DepsDiver shows me exactly who contributed. Scrolling down, I can see the specific developers who triggered the alert, their locations, and their contribution percentages.
- I get context, not just a warning. DepsDiver explains why this is risky, so I can make an informed decision.
DepsDiver doesn’t just identify problems—it suggests solutions. Here are the alternative packages it recommends, each with its own FOCI risk score and a clear explanation of why it’s safer:
This is helpful, but it’s only half the battle.
Think of it like this: Your truck’s engine just seized. You have a brand new replacement engine in your garage. It’s factory-fresh and will definitely work. But there are still many hours of work between now and actually driving your truck again…
Automatic Remediation
At Hunted Labs, we know that identifying the problem is only half the battle. Implementation is where most security tools leave you stranded.
Manually swapping out a dependency is painful, especially if it’s deeply integrated into your application. Hours of refactoring. Testing. Debugging. Hoping you didn’t break something.
DepsDiver automates all of that. It works directly with your AI code assistant to replace the insecure package with a safe alternative across your entire codebase.
The process is simple: Click “Suggest Alternatives” at the bottom of the pop-up. DepsDiver hands off to your IDE’s AI assistant. The AI rewrites your code. Done.
Here’s what that looks like in my app:
My AI assistant (in this case, GitHub Copilot) presents several options. I review them and pick the best fit:
I approve the replacement. The AI assistant refactors the code automatically: updates imports, rewrites function calls, and runs a quick syntax check. New package integrated. FOCI risk eliminated. From detection to fix: 23 seconds.
And just like that, clean, secure code that compiles on the first try:
Beyond Hello World
This was a simple example: a toy Hello World app with one compromised dependency. But the principles scale.
Attackers don’t just exploit known vulnerabilities. They contribute to the open source community, building trust over time before inserting malicious code. As our co-founder Hayden Smith puts it: “The easiest way to attack open source is to be an active member of the community.”
That’s what happened with XZ Utils. That’s what’s happening right now with packages like easyjson and fast-glob, which are embedded in DoW systems and Fortune 500 codebases.
The threat is real. The attack surface is massive. And most organizations have zero visibility into who controls their dependencies.
Hunted Labs makes these threats visible and fixable. DepsDiver catches FOCI risks that traditional security tools miss and automates remediation so you can move fast without compromising security.
Because in 2026, “move fast and break things” is a national security risk.
