I built a free IDE extension to catch malicious npm packages before they wreck your project

1 3 12
calendar_todayschedule1 min read

Supply-chain attacks via npm are up year-over-year — packages like event-stream,
the Lazarus group drops, and AI-hallucinated typosquats keep landing in real codebases.
I got tired of finding out after the fact, so I built NPM Safety Guard.

What it does

It scans your package.json and lockfiles right inside your editor — no separate CLI step.

Here's what it currently catches across 22 detection layers:

  • Known malicious packages — DPRK RAT drops, Lazarus-linked packages, event-stream clones
  • CVEs — via OSV.dev, cached locally (free, no API key needed)
  • Typosquatting & homoglyph attacks — catches lodahs, reàct, and AI-hallucinated package names
  • Install script hooks — flags preinstall/postinstall before you run them
  • Deep tarball AST scan — detects obfuscation, eval, and payload patterns in the actual source
  • Dependency confusion — scoped packages planted on public npm to hijack private installs
  • Exposed secrets — API keys, tokens, private keys accidentally left in .env, .npmrc, .pem
  • MCP server config scanner — catches typosquatted or malicious MCP transport configs
  • Supply chain graph — interactive force-directed graph with risk overlay from your lockfile
  • OSSF Scorecard + Socket.dev score — security hygiene at a glance

Where to get it

All free. No account required for the core layers. MIT licensed on the VS Code side.

Under the hood

The VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same
detection signatures bundled at build time — no cloud dependency for the core scan.

CVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network
call every keystroke.


Have you been burned by a supply-chain attack before? Or do you have a detection layer
you wish existed? Drop it in the comments — I'm actively adding new signatures.

13 Comments

2 votes
1
3 votes
2
2
2
3 votes
2
2 votes
0
2 votes
2
1
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.

More Posts

How I Built a React Portfolio in 7 Days That Landed ₹1.2L in Freelance Work

Dharanidharan - Feb 9

Comparison: Universal Import vs. Plaid/Yodlee

Pocket Portfolio - Mar 12

I’m a Senior Dev and I’ve Forgotten How to Think Without a Prompt

Karol Modelskiverified - Mar 19

5 Web Dev Pitfalls That Are Silently Killing Your Projects (With Real Fixes)

Dharanidharan - Mar 3

MCP Is the USB-C of AI. So Why Are You Plugging Everything In?

Ken W. Algerverified - Jun 10
chevron_left
327 Points16 Badges
Thailandt.co/KtJ4M9krce
2Posts
7Comments
jomynn

Related Jobs

View all jobs →

Commenters (This Week)

5 comments
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!