Supply-chain attacks via npm are up year-over-year — packages like event-stream,
the Lazarus group drops, and AI-hallucinated typosquats keep landing in real codebases.
I got tired of finding out after the fact, so I built NPM Safety Guard.
What it does
It scans your package.json and lockfiles right inside your editor — no separate CLI step.
Here's what it currently catches across 22 detection layers:
- Known malicious packages — DPRK RAT drops, Lazarus-linked packages, event-stream clones
- CVEs — via OSV.dev, cached locally (free, no API key needed)
-
Typosquatting & homoglyph attacks — catches
lodahs,reàct, and AI-hallucinated package names -
Install script hooks — flags
preinstall/postinstallbefore you run them -
Deep tarball AST scan — detects obfuscation,
eval, and payload patterns in the actual source - Dependency confusion — scoped packages planted on public npm to hijack private installs
-
Exposed secrets — API keys, tokens, private keys accidentally left in
.env,.npmrc,.pem - MCP server config scanner — catches typosquatted or malicious MCP transport configs
- Supply chain graph — interactive force-directed graph with risk overlay from your lockfile
- OSSF Scorecard + Socket.dev score — security hygiene at a glance
Where to get it
- VS Code / Cursor / Windsurf → VS Code Marketplace
- VS Codium / open-source IDEs → Open VSX Registry
- WebStorm / IntelliJ IDEA / all JetBrains IDEs → JetBrains Marketplace
All free. No account required for the core layers. MIT licensed on the VS Code side.
Under the hood
The VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same
detection signatures bundled at build time — no cloud dependency for the core scan.
CVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network
call every keystroke.
Have you been burned by a supply-chain attack before? Or do you have a detection layer
you wish existed? Drop it in the comments — I'm actively adding new signatures.
