I built a pre-install security scanner because npm install scared me

Last month, I ran npm install on a project and realized something terrifying: I had no idea what code was about to execute on my machine.

Sure, we've all heard about supply chain attacks. The event-stream incident, the ua-parser-js malware, the countless typosquatting packages stealing credentials.

But we still run npm install blindly. Every. Single. Day.

So I built Sapo - a CLI tool that scans packages before they touch your system.

The Problem

When you run npm install axios, here's what happens:

1. npm downloads the package
2. npm runs preinstall scripts
3. npm runs postinstall scripts
4. You're already compromised if it was malicious

By the time you realize something is wrong, the damage is done. Your .env file, your SSH keys, your AWS credentials - all potentially exfiltrated.

The Solution

Sapo wraps your package manager and intercepts install commands:

$ npm install lodahs # typo - this is a malicious package!

[>] Scanning: lodahs@1.0.0
[!] BLOCKED: Typosquatting detected
Similar to: lodash (337M downloads)

Installation cancelled.

GitHub: github.com/Salta1414/sapo-cli
Website: sapo.salta.world