AI detection is creating a new problem

AI-powered vulnerability detection is one of the most exciting developments in security. Automated scanners can now analyze millions of package releases, flag suspicious code patterns, and detect supply chain attacks in near-real time. The throughput is incredible.

But there's a problem: the signal-to-noise ratio is terrible. AI scanners generate mountains of findings, most of them false positives, edge cases, or technically-true-but-practically-irrelevant flags. Security teams are drowning in slop. A minified file triggers "obfuscation detected." A CI helper reads environment variables and gets flagged as "data exfiltration." A version bump with a new dependency becomes a "critical supply chain risk."

The result: alert fatigue. When everything is flagged, nothing is. The real attacks, the ones where a maintainer's npm token gets stolen and a postinstall script starts exfiltrating SSH keys, get buried under a pile of noise.

Humans are still the best validators

Ghost runs an AI-powered supply chain monitor that watches 500+ packages across npm, PyPI, and GitHub. Every new release gets analyzed within 60 seconds. The AI is good at catching things that look wrong, but it still needs humans to confirm what actually is wrong.

We built Resolver because we think the best way to validate security findings is to give real people real evidence and let them decide. Not multiple-choice quizzes. Not sanitized educational examples. Real packages, real version diffs, real maintainer histories, real behavioral signals, presented clearly so you can form your own judgment.

Think of it like Foldit for supply chain security. Foldit proved that gamified citizen science could solve protein folding problems that computers alone couldn't crack. We believe the same principle applies here: a network of sharp-eyed developers reviewing package updates can catch what automated scanners miss and filter out the noise they generate.

How Resolver works

Each challenge presents a real package update with 6 dimensions of evidence:

You review the evidence. You make the call: safe, suspicious, or malicious. You submit your verdict with a confidence level. After submitting, you see whether you were right and what actually happened with the package.

Every challenge uses data pulled from real registries: real version histories, real maintainer info, real dependency trees. Some of these packages were actually compromised. Some were legitimate. Can you tell the difference?

Where this is going

Today, Resolver is a daily challenge. But the long-term goal is a real-time validation network. When Ghost's AI scanner flags a new release as suspicious, it should be able to surface that finding to a community of trained reviewers who can confirm or reject it within minutes, not hours or days.

Human consensus on top of AI detection. The scanner handles throughput, the community handles precision. Together, they catch more attacks with fewer false alarms. That's the system we're building.