NPMScan

Why we built NPMScan

Too many teams still npm i blind. Recent npm waves (drainers, typosquats, maintainer takeovers) showed how fast a bad release slips into CI and ships to prod. I wanted a dead-simple preflight check that catches malware now, not just CVEs from last year.

What’s different vs. the usual scanners

* Active malware intel: live feed of malicious packages/campaigns, not just advisory databases.

* Drainer & takeover heuristics: flags obfuscated postinstall scripts, suspicious maintainer changes, exfil patterns, clipboard/crypto hooks.

* Zero setup: paste package.json or enter package@version → instant risk snapshot.

* Release diffing: highlights risky jumps (new scripts/bins/deps) so you can pin or skip.

* CI optional: great in-browser; API/CLI if you want gates later.

It’s fast, blunt, and practical. No login, no fluff—just “is this safe to install?” in seconds.

* No source code required: if you don’t trust anyone (good instinct), don’t upload your repo—just share package.json.

* No installs, no extensions: you don’t need to install anything. Even VS Code extensions can touch env vars or run scripts; NPMScan runs in your browser, read-only.

* One-page context you usually click around for: see latest commits, open issues, and maintainer info for each package on a single page. On GitHub you’d bounce between tabs; here it’s consolidated.

* Trust but verify: we show the raw facts (commits/issues/maintainers/scripts/diffs) so you can do your own analysis if you don’t want to rely on ours.

Roadmap (tell me what to prioritize):

GitHub App PR comments • lockfile diff guard • VS Code extension (strictly read-only) • private registry proxy with policy • SBOM export + API.

I’d love brutal feedback and real packages to test—drop any package@version you’re worried about and I’ll run a deep scan.

Try it: npmscan.com • X: block_hacks