Menu

Open Source Zero Dependencies v1.2.1

@araptus/npm-security-scanner

Detect compromised npm packages in your Node.js projects.

A fast, zero-dependency CLI tool that scans your dependencies against a database of known malicious packages. Works with npm, pnpm, and yarn.

View on npm GitHub

Quick Install

npx @araptus/npm-security-scanner
🐛

Inspired by the 2025 npm Supply Chain Crisis

In September 2025, the Shai-Hulud npm worm—a self-replicating malware—infected 187+ packages with over 2 million weekly downloads. Combined with cryptocurrency hijacking attacks affecting packages with 2.6 billion downloads, traditional security tools failed to detect these threats quickly enough.

We built this scanner to provide instant, local detection without waiting for CVE databases to update.

What It Detects

Comprehensive protection against the latest npm supply chain threats

🚨

96+ Known Malicious Packages

Confirmed threats from npm security advisories, including the 2025 attack campaigns.

🐛

5 Major 2025 Campaigns

Shai-Hulud, PhantomRaven, Gluestick RAT, and other coordinated supply chain attacks.

🎯

Version-Specific Compromises

Only flags affected versions, not entire packages. No false positives on safe versions.

🔤

Typosquatting Variants

Common misspellings of popular packages like "lodahs", "reacct", "expresss".

🔑

Credential Theft Packages

Packages designed to steal npm tokens, API keys, and developer credentials.

⛏️

Crypto Mining Malware

Hidden cryptocurrency miners embedded in innocent-looking dependencies.

Installation & Usage

Get started in seconds with zero configuration required

Quick Start

Run directly with npx (no install needed):

npx @araptus/npm-security-scanner

Or install globally:

npm install -g @araptus/npm-security-scanner
npm-security-scan

Add as dev dependency:

pnpm add -D @araptus/npm-security-scanner

Add to package.json 

{
  "scripts": {
    "security:scan": "npm-security-scan",
    "security:scan:verbose": "npm-security-scan --verbose",
    "security:scan:json": "npm-security-scan --json",
    "security:scan:strict": "npm-security-scan --strict"
  }
}

CLI Options

Option Description
--verbose, -v Show detailed output for each package checked
--json Output results as JSON (for CI/CD parsing)
--strict Exit with error code 1 on any finding
--quiet, -q Minimal output, only show issues
--help, -h Display help information

Multi-Project Scanning

Scan multiple Node.js projects at once using the built-in multi-scanner:

# Scan all projects in a directory
npm-security-scan --scan-dir ~/Projects

# Or manage a project list
npm-security-scan --add-project ~/my-app
npm-security-scan --list-projects
npm-security-scan --scan-all

CI/CD Integration

Automate security scanning in your deployment pipeline

GitHub Actions Example 

# .github/workflows/security.yml
name: Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 9 * * 1'  # Weekly Monday 9am

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          
      - name: Install dependencies
        run: npm ci
        
      - name: Run security scan
        run: npx @araptus/npm-security-scanner --strict
        
      - name: Generate JSON report
        if: always()
        run: npx @araptus/npm-security-scanner --json > security-report.json
        
      - name: Upload security report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-report
          path: security-report.json
Exit 0
Clean, no issues
Exit 1
Critical issues found
Exit 2
Configuration error

Threat Database

Continuously updated database of known malicious packages

The threat database at security/compromised-packages.json includes:

knownMalicious.confirmed

Packages confirmed as malicious by security researchers

knownMalicious.typosquatting

Typosquatting variants of popular packages

knownMalicious.credentialTheft

Token and credential stealers

knownMalicious.cryptoMalware

Crypto mining packages

campaigns

Coordinated attack campaigns with affected versions

trustedPackages

Allowlist of known-safe packages

Update the database instantly:

Edit security/compromised-packages.json → Rerun scan

No waiting for third-party database updates. Your database, your control.

Why This Scanner?

Built for speed, simplicity, and real-world threats

Zero Dependencies

Pure Node.js implementation. No external packages to worry about—no dependency inception problem.

Instant Updates

Edit a JSON file to add new threats. No waiting for CVE databases or third-party services.

Works Offline

No API calls, no rate limits, no internet required. Perfect for air-gapped environments.

Comparison with Other Tools

Feature This Scanner npm audit Snyk
Works Offline
Zero Dependencies
Supply Chain Attacks Partial
Instant Database Updates
Free Forever Limited

Protect Your Projects Today

One command. Zero configuration. Instant protection against npm supply chain attacks.

npx @araptus/npm-security-scanner
Get on npm Star on GitHub Read the Blog Post

Insights from Araptus: Our Blog

Discover new experience of web development.

Latest from Our Blog

Shopify's WordPress Plugin: A Step Forward, But Why Settle for Half-Solutions?

Shopify just launched a WordPress plugin for e-commerce integration. While it's progress, discover why Araptus Highlander's platform-agnostic approach offers the freedom and flexibility modern businesses actually need—without vendor lock-in.

By Araptus Team • 12/14/2025
Read More

AI Overview Ranking Factors: Why Brand Signals Now Outrank Traditional SEO Metrics

New Ahrefs research reveals brand mentions and branded searches are the strongest signals for AI Overviews—outperforming backlinks and domain authority. Here's what this means for your SEO strategy.

By Araptus Team • 12/11/2025
Read More

Defending Against npm Supply Chain Attacks: The Shai-Hulud Crisis and Beyond

Learn how the Shai-Hulud worm compromised 187+ npm packages and how to protect your projects with automated security scanning.

By Araptus Team • 12/9/2025
Read More

How SEOs Are Using Press Releases to Dominate AI Search Results

Discover the cutting-edge SEO strategy of using press releases to appear in ChatGPT, Claude, and other AI search results. Learn how to optimize press releases for AI algorithms and capture high-intent traffic.

By Kris Black • 9/21/2025
Read More

Claude AI for SEO Content Creation: Why It's Dominating Persite SEO Rankings in 2025

Discover why Claude AI is revolutionizing SEO content creation with artifacts, superior reasoning, and proven ranking results. Learn the exact strategies top SEO professionals use to dominate search results.

By Kris Black • 9/21/2025
Read More

Edward Sturm's Compact Keywords: The Bottom-of-Funnel SEO Strategy That's Generating Millions

Discover Edward Sturm's revolutionary Compact Keywords strategy that focuses on bottom-of-funnel SEO to drive immediate conversions. Learn why this approach is outperforming traditional blog SEO.

By Kris Black • 9/21/2025
Read More
View All Posts

You Want This!

Transform Your Business Today

Get started with enterprise-grade development solutions.

Or schedule a call: Book a Consultation
24hr Response
Free Consultation
Enterprise Grade
npm Security Scanner | Araptus Open Source