npm-scan
Static analysis for supply chain attacks. Detects typosquatting, infostealers, lifecycle hooks, and emerging threats before they enter your pipeline. Runs locally. No SaaS. No data collection.
Overview
npm-scan performs static analysis on npm packages to detect typosquatting, infostealers, lifecycle hooks, and supply chain attacks before they reach your codebase. It identifies 21+ attack patterns and emerging threat campaigns that traditional scanners miss.
Unlike SaaS-based tools, npm-scan runs entirely on your infrastructure with no data egress. Your dependency tree never leaves your network. Results are instantaneous — fast enough to integrate into any CI/CD pipeline or local workflow.
Detection coverage spans typosquatting and name confusion attacks, credential and data extraction (infostealers), install-time exploits via lifecycle hooks, dependency confusion, eBPF rootkits, module-load execution, self-defending and obfuscated payloads, profiling and reconnaissance scripts, and the latest 2024+ attack campaigns including Red Hat Scope, Miasma, and IronWorm.
Why npm-scan
Stop malicious packages before they enter your CI/CD pipeline. npm-scan evaluates every dependency before installation, blocking threats at the earliest possible point in your supply chain.
Detects threats other tools miss — novel attack campaigns, behavioral patterns, obfuscated payloads. Over 21 detection categories covering known and emerging attack vectors.
Evidence of due diligence for SOC 2, ISO 27001, FedRAMP, and customer security reviews. Auditable scan results demonstrate proactive supply chain defense.
Fast static analysis that integrates directly into your existing workflow. No slow network calls, no SaaS latency, no waiting for cloud results.
Threat Detection
| Detection Category | npm-scan | Snyk | npm audit | Sonatype | Socket |
|---|---|---|---|---|---|
| Typosquatting & name confusion | ✓ | — | — | — | ✓ |
| Infostealers & credential extraction | ✓ | — | — | — | ✓ |
| Lifecycle hooks & install-time attacks | ✓ | ✓ | — | ✓ | ✓ |
| Dependency confusion | ✓ | — | — | — | ✓ |
| eBPF rootkits & kernel exploits | ✓ | — | — | — | — |
| Module-load execution | ✓ | — | — | — | — |
| Self-defending code | ✓ | — | — | — | — |
| Profiling & reconnaissance | ✓ | — | — | — | — |
| 2024+ attack campaigns (Red Hat Scope, Miasma, IronWorm) | ✓ | — | — | — | ✓ |
Defense in Depth
CVE databases (Snyk, npm audit) catch known vulnerabilities in published packages. They don't detect malicious intent in new or typosquatted packages.
Typosquatting, infostealers, lifecycle hooks, and dependency confusion each require distinct detection approaches. A single scanner cannot cover all vectors.
npm-scan specializes in behavioral and novel threat detection — the attacks that don't have CVEs yet. It catches what signature-based tools miss.
npm-scan + Snyk or npm audit for CVE coverage + SBOM tooling for full supply chain visibility. Each layer covers what the others cannot.
Use Cases
Scan dependencies before publishing to private registries. Ensure no malicious packages propagate through internal package distribution.
Detect supply chain attacks across large monorepos where dependency graphs are complex and manual review is impractical.
Meet compliance requirements for SOC 2, ISO 27001, FedRAMP, and customer security audits with documented supply chain scanning.
Block malicious packages at the PR or build stage. npm-scan integrates into any CI/CD pipeline with a single command.
Getting Started
Browse the source code, report issues, and contribute. MIT licensed.
→ github.com/lateos-ai/npm-scanFree MIT for individuals. Business License for companies with employees.
→ View pricing & licensingInstall directly from the public npm registry. No signup required.
→ www.npmjs.com