I'm writing this article quickly for all the developers who would like to detect 🚩 Marak dependencies in their project to secure themselves.
I made the decision to take a stand based on the impact of Marak's latest publications (which don't seem to be stopping anytime soon 😰).
NodeSecure can now detect packages created by Marak and it will generate a global warning ⚠️.
Read more about our tools and organization here.
Our main tool is a CLI/API that will fetch and deeply analyze the dependency tree of a given npm package (Or a local project with a package.json) and output a .json file that will contains all metadata and flags about each packages. All this data will allow to quickly identify different issues across projects and packages (related to security and quality).
$ npm install @nodesecure/cli -g # Scan an npm package and open it in the WebUI $ nsecure auto express # Omit the package name to scan a local project $ nsecure auto
Complete CLI documentation here.
Hoping that this will help.