DEV Community

jomynn
jomynn

Posted on

I built a free IDE extension to catch malicious npm packages before they wreck your project

Supply-chain attacks via npm are up year-over-year — packages like event-stream,
the Lazarus group drops, and AI-hallucinated typosquats keep landing in real codebases.
I got tired of finding out after the fact, so I built NPM Safety Guard.

What it does

It scans your package.json and lockfiles right inside your editor — no separate CLI step.

Here's what it currently catches across 22 detection layers:

  • Known malicious packages — DPRK RAT drops, Lazarus-linked packages, event-stream clones
  • CVEs — via OSV.dev, cached locally (free, no API key needed)
  • Typosquatting & homoglyph attacks — catches lodahs, reàct, and AI-hallucinated package names
  • Install script hooks — flags preinstall/postinstall before you run them
  • Deep tarball AST scan — detects obfuscation, eval, and payload patterns in the actual source
  • Dependency confusion — scoped packages planted on public npm to hijack private installs
  • Exposed secrets — API keys, tokens, private keys accidentally left in .env, .npmrc, .pem
  • MCP server config scanner — catches typosquatted or malicious MCP transport configs
  • Supply chain graph — interactive force-directed graph with risk overlay from your lockfile
  • OSSF Scorecard + Socket.dev score — security hygiene at a glance

Where to get it

All free. No account required for the core layers. MIT licensed on the VS Code side.

Under the hood

The VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same
detection signatures bundled at build time — no cloud dependency for the core scan.

CVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network
call every keystroke.


Have you been burned by a supply-chain attack before? Or do you have a detection layer
you wish existed? Drop it in the comments — I'm actively adding new signatures.

Top comments (0)