AI Ghost Dependency Interceptor

A high-performance "Security and Sanity Gateway" between your IDE and your AI code assistant.

With the rise of AI-assisted coding, the primary supply-chain risk isn't just data leaks—it's Hallucinated Dependency Injection. If an LLM (like Copilot, Claude, or ChatGPT) suggests a non-existent package and you blindly accept it, an attacker can register that package name on NPM to execute malicious code on your machine.

This extension intercepts AI-generated code snippets in milliseconds using a local Rust daemon to verify every dependency before it puts your machine at risk.

Features

• Zero-Latency AST Parsing: Uses SWC (Rust) to parse TypeScript/JavaScript inline suggestions instantly.
• JIT Registry Verification: Cross-references imported modules against your local package.json. If an unknown dependency is detected, it performs a real-time HTTP check against the official NPM registry.
• Persistent SQLite Caching: Valid packages are cached locally in ~/.ai-auditor to ensure network requests are only made once, keeping latency near zero.
• Instant Diagnostics: Flags hallucinated or dangerous external dependencies directly in the editor with high-severity red squiggly warnings.
• Secret Scanning: Detects high-entropy strings and potential API keys embedded in AI output.

How it Works

The extension spawns a compiled Rust binary in the background. When code is modified, the editor securely pipes the buffer to the binary via standard I/O. The Rust core parses the Abstract Syntax Tree (AST), extracts all external imports, checks them against your local project, and queries the NPM registry for any anomalies before returning diagnostic data back to VS Code.

Requirements

No external dependencies. The extension dynamically loads the correct pre-compiled Rust binary for Windows, macOS (Intel/Apple Silicon), or Linux automatically.

Release Notes

0.1.0

• Initial MVP release of the core verification engine.
• Added SWC-powered JS/TS AST parsing.
• Implemented Just-In-Time (JIT) NPM registry validation via reqwest.
• Added persistent local SQLite caching for verified packages.
• Added Regex/Entropy-based secret scanning.