SECURITY THREAT DETECTION SYSTEM

MALICIOUS PACKAGE

DETECTION ENGINE

$2.8 BILLION stolen through malicious npm packages.
Don't be the next victim. Scan before you install.

REAL-TIME MONITORING
AI POWERED
THREAT DATABASE
2.5 million
PACKAGES SCANNED
47k
THREATS DETECTED
99.8%
DETECTION RATE
150k
DEVELOPERS PROTECTED

Why npmscan instead of npm audit or Snyk?

Different tools solve different security problems. npmscan focuses on malware-like behavior — drainers, obfuscation and sketchy scripts — not just known CVEs.

No install, no login, no API keys
Paste package.json, get instant risk summary
Built to catch drainers & supply-chain attacks
Feature / Toolnpmscannpm auditSnykDependabot
Main focusMalware, drainers, supply-chain abuseKnown CVEs in dependenciesCVEs, licenses, policiesUpdate deps & patch CVEs
Detects new / non-CVE malware✓ Heuristics for drainers, obfuscation, exfiltration✕ CVE database only△ Limited, CVE-driven✕ No
Scan package.json in browser✓ Paste / upload → instant analysis✕ CLI in repo only✕ CLI / agent, no simple paste-and-scan✕ No
Install / setup required✓ None — open site, paste JSONNode + CLI in repoCLI + project wiringEnable per repo, wait for PRs
Login / accounts / API keys✓ No login, no tokens, no repo accessCLI only, no accountAccount + auth tokenGitHub account & repo perms
Cost✓ Free to useFreeFree tier + paid plansIncluded with GitHub
Best for…“Is this package or dependency set sketchy or malicious?”“Do I have known vulnerabilities?”“Enterprise vuln & policy management”“Keep deps updated & patch CVEs”

TL;DR — npmscan is the quickest way to sanity-check an npm package.

No agents, no repo access, no onboarding. Open npmscan, paste your package.json or package name, and get a focused view on malware-style risks in seconds.

How npmscan works

npmscan performs lightweight static analysis on npm packages and dependency lists to surface behavior patterns associated with malicious code.

Parse metadata & files

  • • package.json
  • • scripts
  • • JS/TS files
  • • configuration & metadata

Run malware heuristics

  • • Obfuscation & heavily encoded blobs
  • • Suspicious postinstall hooks
  • • Inlined network calls to unknown endpoints
  • • Attempts to access environment variables
  • • Drainer signatures & exfiltration patterns

Flag risks with concise explanations

  • • Clear, short reasoning
  • • Links to suspicious lines
  • • Designed for both humans and LLM workflows
  • • Goal: quickly verify if a package looks safe or dangerous — without noise

Is npmscan safe?

npmscan is designed to be privacy-first and analysis-only.

  • • We do not store package source code or uploaded tarballs.
  • • Only minimal, non-sensitive logs are kept (page views, error events) to maintain uptime.
  • • Email addresses are stored only if you explicitly subscribe.
  • • No tracking of sensitive project data, no user profiling.
  • • Fully GDPR-friendly and compliant by design.

Your package stays your package — npmscan reads it, analyzes it, and forgets it.

THREAT INTELLIGENCE
Real-time tracking of crypto-draining malware, supply chain attacks, and zero-day exploits in the npm ecosystem.
DEEP ANALYSIS
AI-powered dependency scanning reveals hidden vulnerabilities and malicious code patterns across your entire project.
INSTANT ALERTS
Get immediate warnings about compromised packages, maintainer takeovers, and suspicious version releases.

ATTACK VECTORS

Understanding the types of attacks threatening the npm ecosystem

87
CRYPTO THEFT
Packages designed to drain cryptocurrency wallets and steal private keys from infected systems.
234
CREDENTIAL HARVESTING
Malware that exfiltrates environment variables, API keys, passwords, and authentication tokens.
156
CODE INJECTION
Supply chain attacks that inject malicious code into legitimate packages through compromised maintainers.
92
BACKDOORS
Remote access trojans and persistent backdoors allowing attackers to control infected development machines.

ACTIVE THREAT FEED

Known malicious packages that have compromised production systems and stolen cryptocurrency assets. Click to view full attack analysis.

event-stream
CRITICAL
$13M+ stolen — Bitcoin wallet draining malware injected through compromised dependency. Targeted Copay users. (2018)
ua-parser-js
CRITICAL
8M+ downloads/week — Cryptominers and password stealing trojans deployed after account hijacking. (2021)
eslint-scope
HIGH
NPM credential theft — Compromised maintainer account used to publish malicious versions. (2018)
flatmap-stream
CRITICAL
Purpose-built weapon — Malicious package created specifically to inject crypto-stealing code into event-stream. (2018)

ATTACK TIMELINE

Major security incidents in the npm ecosystem over the years

2018
Jul 2018
eslint-scope compromise
Maintainer account hijacked
Nov 2018
event-stream attack
$13M Bitcoin wallet theft
2021
Oct 2021
ua-parser-js breach
Cryptominers deployed to 8M+ weekly downloads
Nov 2021
coa & rc attacks
Password-stealing malware in popular packages
2022
Mar 2022
node-ipc protest
Developer intentionally corrupts files in Russia/Belarus
Aug 2022
Peacenotwar malware
Anti-Russia protestware affects thousands
2024
Feb 2024
Socket.dev reveals typosquatting campaign
200+ malicious packages discovered
Sep 2024
AI-generated malware detected
First cases of LLM-generated attack code

PROTECTION PROTOCOL

Essential security practices to defend your projects from supply chain attacks

1
AUDIT BEFORE INSTALL
Check package history, maintainer reputation, and security advisories before adding any dependency to your project.
2
USE LOCK FILES
Always commit package-lock.json or yarn.lock to ensure consistent, reviewed versions across all environments.
3
ENABLE 2FA
Require two-factor authentication for all npm accounts with publish access to prevent account takeovers.
4
REVIEW UPDATES
Never blindly update dependencies. Review changelogs and scan for suspicious behavior before upgrading.
5
MINIMIZE DEPENDENCIES
Each dependency is a potential attack vector. Evaluate if you really need that package or can implement it yourself.
6
MONITOR ALERTS
Set up automated scanning and subscribe to security advisories to catch compromised packages immediately.
Subscribe for updates

Get occasional updates on new features and security highlights

PROTECTING DEVELOPERS FROM SUPPLY CHAIN ATTACKS

Subscribe for updates

Get occasional updates on new features and security highlights.