Supply-chain attacks via npm are up year-over-year — packages like event-stream
,
the Lazarus group drops, and AI-hallucinated typosquats keep landing in real codebases.
I got tired of finding out after the fact, so I built NPM Safety Guard.
It scans your package.json
and lockfiles right inside your editor — no separate CLI step.
Here's what it currently catches across 22 detection layers:
lodahs
, reàct
, and AI-hallucinated package namespreinstall
/postinstall
before you run themeval
, and payload patterns in the actual source.env
, .npmrc
, .pem
All free. No account required for the core layers. MIT licensed on the VS Code side.
The VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same
detection signatures bundled at build time — no cloud dependency for the core scan.
CVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network
call every keystroke.
Have you been burned by a supply-chain attack before? Or do you have a detection layer
you wish existed? Drop it in the comments — I'm actively adding new signatures.