The linked page seems to be a normal known vuln checker? From doc :

""" The tool will:

    Recursively find all package.json and requirements.txt files
    Parse the dependencies
    Query OSV
    Display a beautiful report

It has a 2-part process. First, it does a simple depencency check against Google's OSV, then there's a supply chain check that requires an AI key. This secondary check uses code signature checks to identify files that have "risky" behavior (e.g. eval, lots of encoded code etc) and passes that to an AI to identify whether it's likely malicious code hidden behind the "risky" behavior.

Disclaimer: I work on this project.