This is actually a pretty useful idea. npm supply-chain stuff is getting sketchy enough that catching bad packages earlier makes a lot of sense.How are you handling false positives so it doesn’t get noisy?
I built a free IDE extension to catch malicious npm packages before they wreck your project
13 Comments
@[peponder] Thanks! Yeah, supply-chain attacks have been ramping up a lot — it felt like a gap worth closing right in the IDE.
For false positives, the extension uses a multi-signal approach rather than flagging on any single heuristic. It cross-references known malicious package databases (like the OSS Malicious Packages dataset), checks for typosquatting patterns against popular packages, and looks at publish metadata anomalies (e.g. brand-new package with no repo, sudden ownership transfer, obfuscated install scripts).
The idea is that a single yellow flag doesn't block you — it needs a combination of signals to raise a warning. You also get context on why something was flagged, so you can make the call yourself rather than just getting a blanket block.
Still iterating on the threshold tuning. If you try it and hit a noisy case, I'd genuinely love the feedback — it helps calibrate the scoring.
Please log in to add a comment.
@[Med Marrouchi] That's a fair point — npm has been making real strides, and tightening postinstall restrictions is a step in the right direction.
That said, I think there's still a gap the extension helps fill: npm's security improvements happen at install time, but by then the package is already being pulled into your project. The goal here is to catch suspicious packages before you even run npm install — right when you're typing the package name in your editor.
It's less about replacing what npm is doing and more about shifting the detection earlier in the workflow. Supply-chain attacks also keep evolving (typosquatting, dependency confusion, malicious updates to legitimate packages) in ways that versioned npm fixes can't always anticipate fast enough.
So hopefully they complement each other rather than overlap. Would love to hear your thoughts if you see specific areas where the extension could better adapt to what npm is already handling!
@[Med Marrouchi] You're raising a really valid point — and honestly, it's something I thought hard about while building this.
The irony isn't lost on me: an extension warning you about malicious packages could itself become an attack surface. The GitHub/VSCode incidents you're referencing are a perfect example of why trust in tooling can't be assumed.
A few things I've tried to do to keep NPM Safety Guard trustworthy:
- No remote code execution — the extension doesn't run scripts or shell commands
- Minimal permissions — it only reads your
package.json, no filesystem or network access beyond the package lookup API - Open source — the code is fully auditable on GitHub so anyone can verify what it's actually doing
But you're absolutely right that users should scrutinize any extension they install, including this one. Trust but verify. 🙂
Please log in to add a comment.
@[Josaphatstar] Exactly! The number of compromised packages has been climbing steadily — and a lot of them slip through because developers trust the ecosystem by default. That's the gap this extension tries to close: flagging suspicious packages right in the editor before they ever touch your project. Hope it saves you from a headache or two! 😄
Please log in to add a comment.
@[immanuel-gabriel] Thanks so much, really appreciate it! 🙏
Yeah, the npm worm discussion was honestly a big wake-up call for a lot of developers — it showed just how fast a malicious package can propagate through the ecosystem once it gets a foothold. That's exactly the kind of scenario this extension is designed to help with: catching the suspicious package before it lands in your project rather than scrambling after the fact.
Glad the timing feels relevant — would love to hear any feedback if you give it a spin!
Please log in to add a comment.
@[buildbasekit] Honestly, the AI Config Guard layer (added in v1.15.0) was the most eye-opening. It was a direct response to the Nx Console incident where packages were stealing Claude Code credentials and 1Password sessions from developer machines. Nobody expected supply chain attacks to go after your AI assistant config. The dependency-confusion layer is a close second — the number of suspiciously named public packages with zero download history is unsettling once you start looking.
@[jomy_nn] The AI config angle is definitely not where most developers expect supply-chain attacks to show up.
Feels similar to how attackers always seem to target the weakest link in the workflow rather than the part everyone is watching. I'll have to read up on the Nx incident. Thanks for sharing that example.
Please log in to add a comment.
Please log in to comment on this post.
More Posts
- © 2026 Coder Legion
- Feedback / Bug
- Privacy
- About Us
- Contacts
- Premium Subscription
- Terms of Service
- Refund
- Early Builders
Related Jobs
- Freelance Software Developer (Ruby) - AI TrainerMind Rift · Full time · Italian Republic
- Remote Freelancer Senior .NET Full-stack DeveloperPradeepit consulting services pvt Itd. · Full time · United States
- Salesforce Developer Academy Free Virtual CourseBC Soft Srl · Full time · Italian Republic
Commenters (This Week)
Contribute meaningful comments to climb the leaderboard and earn badges!