npm-scanner

Security auditing toolkit for detecting npm supply chain attacks. Detects threats that npm audit misses—URL dependencies (PhantomRaven-style attacks), malicious lifecycle scripts, typosquatting, and suspicious package metadata.

Zero npm dependencies by design: a security tool that depends on npm packages would be vulnerable to the same attacks it's trying to detect.

Quick Start

git clone https://github.com/virtualian/npm-scanner.git
cd npm-scanner

# Scan globally installed packages
./npm-scanner.sh scan --global

# Scan project dependencies
./npm-scanner.sh scan --project ~/code

# Validate a package before installing
./npm-scanner.sh validate lodash

Documentation

Full documentation: virtualian.github.io/npm-scanner

Requirements

Bash, jq, curl
Node.js (no npm dependencies)

License

ISC

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
.claude/marr		.claude/marr
.github		.github
docs		docs
scripts		scripts
templates		templates
.gitattributes		.gitattributes
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
CLAUDE.md		CLAUDE.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
VERSION		VERSION
npm-scanner.sh		npm-scanner.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

npm-scanner

Quick Start

Documentation

Requirements

License

About

Uh oh!

Releases 1

Packages

Contributors 2

Uh oh!

Languages

License

virtualian/npm-scanner

Folders and files

Latest commit

History

Repository files navigation

npm-scanner

Quick Start

Documentation

Requirements

License

About

Resources

License

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Contributors 2

Uh oh!

Languages

Packages