npm-scanner

npm-scanner Documentation

Security auditing toolkit for detecting npm supply chain attacks. Detects threats that npm audit misses—URL dependencies (PhantomRaven-style attacks), malicious lifecycle scripts, typosquatting, and suspicious package metadata.

Zero npm dependencies by design: a security tool that depends on npm packages would be vulnerable to the same attacks it’s trying to detect.

---

Users

Get started with npm-scanner and learn how to protect your projects.

How-To Guides

• Set Up npm-scanner — Install and run your first scan
• Scan Projects — Audit installed packages and dependencies
• Validate Packages — Check packages before installation
• Integrate with CI/CD — Automate scanning in pipelines

Reference

• Command Reference — All commands and options

Explanation

• Threat Model — What attacks npm-scanner detects and why

---

Contributors

Understand the codebase and contribute improvements.

How-To Guides

• Contribute — Development setup and guidelines

Reference

• Architecture — Codebase structure and components

Explanation

• Design Decisions — Why the toolkit works the way it does

This site is open source. Improve this page.