Automated static analysis of npm packages. Detect lifecycle script attacks, obfuscated code, credential harvesting, and version tampering in seconds.
Enter any npm package name. Optionally specify a version to scan.
Receive a copy of the scan report via email.
Have a credit code? Enter it here. Otherwise, free scans are available.
preinstall, postinstall, and install scripts that execute code during npm install.
_0x variable patterns, eval(), new Function(), and Base64 encoded payloads.
Access to AWS keys, GitHub tokens, NPM tokens, and other sensitive env vars.
Abnormal size changes, new maintainers, and new dependencies between versions.
Outbound HTTP calls and child_process usage in install scripts.
Suspicious IP addresses embedded in package code.
Need bulk scans? Buy a credit bundle for volume pricing.