# I built a free IDE extension to catch malicious npm packages before they wreck your project

> Source: <https://dev.to/jomynn/i-built-a-free-ide-extension-to-catch-malicious-npm-packages-before-they-wreck-your-project-24oe>
> Published: 2026-06-18 10:16:30+00:00

Supply-chain attacks via npm are up year-over-year — packages like `event-stream`

,

the Lazarus group drops, and AI-hallucinated typosquats keep landing in real codebases.

I got tired of finding out *after* the fact, so I built **NPM Safety Guard**.

It scans your `package.json`

and lockfiles right inside your editor — no separate CLI step.

Here's what it currently catches across **22 detection layers**:

`lodahs`

, `reàct`

, and AI-hallucinated package names`preinstall`

/`postinstall`

before you run them`eval`

, and payload patterns in the actual source`.env`

, `.npmrc`

, `.pem`

All free. No account required for the core layers. MIT licensed on the VS Code side.

The VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same

detection signatures bundled at build time — no cloud dependency for the core scan.

CVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network

call every keystroke.

Have you been burned by a supply-chain attack before? Or do you have a detection layer

you wish existed? Drop it in the comments — I'm actively adding new signatures.