Koi Wings™
The risk intelligence engine that sees under the hood – scanning every marketplace hourly, analysing actual code, sandboxing behaviour, and assigning dynamic risk scores that update with every new version

Ongoing Marketplace Scanning

Wings™ completes a full scan of all software marketplaces every hour – Chrome Web Store, npm, PyPI, VS Code Marketplace, HuggingFace, and more. New releases, version updates, and ownership transfers are captured within the same scanning cycle and reflected in risk scores immediately. No stale intelligence.

• Hourly full scan across all major software marketplaces.
• New releases and version updates captured within the same scan cycle.
• Ownership transfers and publisher changes detected automatically.
• Coverage includes Chrome Web Store, npm, PyPI, VS Code Marketplace, HuggingFace, and more.

Vendor Reputation Intelligence

Every vendor is assessed based on their full publishing history across all marketplaces – not just the current package. Ownership history, cross-marketplace reputation, and previous publishing track record are all factored into the risk score, catching impersonation and account takeover attempts that name-matching alone would miss.

• Cross-marketplace reputation assessment per publisher.
• Ownership history and transfer detection.
• Previous publishing track record across all releases.
• Catches fake publisher accounts, account takeovers, and impersonation.

Actual vs. Promised Comparison

An LLM analyses the actual code behind every piece of software and compares what it claims to do versus what it does at a code level. No description is taken at face value. This detects capability misrepresentation, hidden data collection, and functionality that only activates after install – behaviours that signature-based tools cannot identify.

• LLM-powered code-level analysis of every catalogued package.
• Claimed versus actual functionality comparison.
• Detects hidden data collection and dormant malicious payloads.
• No reliance on vendor-supplied descriptions or metadata.

Dynamic Behavioural Analysis

Full behavioural analysis including code enrichment and sandboxing is performed before software ever reaches your endpoints. Runtime behaviour, network egress patterns, and permission requests are all evaluated as part of the Wings™ assessment pipeline – identifying C2 connections, data exfiltration, and unexpected network calls during execution.

• Code enrichment and sandboxing pre-deployment.
• Runtime behaviour and network egress pattern analysis.
• Permission request evaluation against expected behaviour.
• Detects C2 infrastructure connections and data exfiltration attempts.

Continuous Risk Score Updates

Because software is not static, Wings™ risk scores update automatically with every new version, ownership change, update channel shift, or new CVE disclosure. A package that was safe last month may not be safe today. Wings™ ensures your risk intelligence is always current without any manual re-assessment.

• Automatic score updates on every new version release.
• Score recalculation triggered by ownership changes and update channel shifts.
• CVE mapping cross-referenced and reflected in scores immediately on disclosure.
• No manual re-assessment required – continuous intelligence by default.

The Threats Your EDR Was Never Built to Find

Wings™ is purpose-built for non-binary software marketplaces – the attack surface that traditional EDR, SWG, and MDM tools completely miss. Where EDR handles binary executables and AV checks signatures, Wings™ covers the full breadth of the modern software supply chain including browser extensions, code packages, AI models, and MCP tools.

Malware & Backdoors

Detects hidden backdoors, exfiltration payloads, and malicious code injected into otherwise legitimate software – including typosquatting packages and hijacked extensions that have passed previous reviews.

• Supply chain attack detection across npm, PyPI, and extension marketplaces.
• Typosquatting package identification.
• Hijacked package and ownership transfer detection.
• Hidden payload and backdoor identification via code analysis.

Suspicious Network Egress

Identifies software making unexpected outbound network calls during sandbox execution – exfiltrating data to unknown servers, C2 infrastructure, or unusual geographies. Network egress analysis is performed before the package is ever approved for deployment.

• C2 infrastructure connection detection during sandboxing.
• Data exfiltration attempt identification.
• Unexpected outbound network call flagging.
• Geographic anomaly detection in egress patterns.

Wings™ vs. Traditional Security Tools

Traditional endpoint security tools were not built for software marketplaces. The following capabilities are unique to Wings™ and absent from EDR, SWG, and MDM platforms:

• Non-binary software discovery (extensions, packages, AI models, MCPs) – not available in EDR, SWG, or MDM.
• LLM-based code analysis – not available in any traditional endpoint tool.
• Hourly marketplace scanning – not available in EDR, SWG, or MDM.
• Publisher reputation tracking across all marketplaces – not available in traditional tools.
• Dynamic risk score per version – not available in EDR, SWG, or MDM.
• AI model and MCP tool coverage – not available in any traditional endpoint category.

Block Before Install

Wings™ scores power Koi's preventive policies, automatically blocking software above your defined risk threshold before employees can install it. Up to 70% of marketplace risk can be blocked in a few clicks without writing a single script.

Continuous Monitoring

Wings™ re-scores software on every version update, so teams are automatically notified if a previously approved package changes ownership, injects malicious code, or shifts update channels in a way that violates existing policy.

Automated Remediation Triggers

When a risk score crosses a defined threshold, Wings™ can automatically trigger removal, quarantine, or IT review workflows across the entire endpoint fleet – no manual intervention required, regardless of fleet size.

Koi Wings™ Specifications: