Menu

Open Source Zero Dependencies v1.2.1

@araptus/npm-security-scanner

Detect compromised npm packages in your Node.js projects.

A fast, zero-dependency CLI tool that scans your dependencies against a database of known malicious packages. Works with npm, pnpm, and yarn.

View on npm GitHub

Quick Install

npx @araptus/npm-security-scanner
πŸ›

Inspired by the 2025 npm Supply Chain Crisis

In September 2025, the Shai-Hulud npm wormβ€”a self-replicating malwareβ€”infected 187+ packages with over 2 million weekly downloads. Combined with cryptocurrency hijacking attacks affecting packages with 2.6 billion downloads, traditional security tools failed to detect these threats quickly enough.

We built this scanner to provide instant, local detection without waiting for CVE databases to update.

What It Detects

Comprehensive protection against the latest npm supply chain threats

🚨

96+ Known Malicious Packages

Confirmed threats from npm security advisories, including the 2025 attack campaigns.

πŸ›

5 Major 2025 Campaigns

Shai-Hulud, PhantomRaven, Gluestick RAT, and other coordinated supply chain attacks.

🎯

Version-Specific Compromises

Only flags affected versions, not entire packages. No false positives on safe versions.

πŸ”€

Typosquatting Variants

Common misspellings of popular packages like "lodahs", "reacct", "expresss".

πŸ”‘

Credential Theft Packages

Packages designed to steal npm tokens, API keys, and developer credentials.

⛏️

Crypto Mining Malware

Hidden cryptocurrency miners embedded in innocent-looking dependencies.

Installation & Usage

Get started in seconds with zero configuration required

Quick Start

Run directly with npx (no install needed):

npx @araptus/npm-security-scanner

Or install globally:

npm install -g @araptus/npm-security-scanner
npm-security-scan

Add as dev dependency:

pnpm add -D @araptus/npm-security-scanner

Add to package.json 

{
  "scripts": {
    "security:scan": "npm-security-scan",
    "security:scan:verbose": "npm-security-scan --verbose",
    "security:scan:json": "npm-security-scan --json",
    "security:scan:strict": "npm-security-scan --strict"
  }
}

CLI Options

Option Description
--verbose, -v Show detailed output for each package checked
--json Output results as JSON (for CI/CD parsing)
--strict Exit with error code 1 on any finding
--quiet, -q Minimal output, only show issues
--help, -h Display help information

Multi-Project Scanning

Scan multiple Node.js projects at once using the built-in multi-scanner:

# Scan all projects in a directory
npm-security-scan --scan-dir ~/Projects

# Or manage a project list
npm-security-scan --add-project ~/my-app
npm-security-scan --list-projects
npm-security-scan --scan-all

CI/CD Integration

Automate security scanning in your deployment pipeline

GitHub Actions Example 

# .github/workflows/security.yml
name: Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 9 * * 1'  # Weekly Monday 9am

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          
      - name: Install dependencies
        run: npm ci
        
      - name: Run security scan
        run: npx @araptus/npm-security-scanner --strict
        
      - name: Generate JSON report
        if: always()
        run: npx @araptus/npm-security-scanner --json > security-report.json
        
      - name: Upload security report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-report
          path: security-report.json
Exit 0
Clean, no issues
Exit 1
Critical issues found
Exit 2
Configuration error

Threat Database

Continuously updated database of known malicious packages

The threat database at security/compromised-packages.json includes:

knownMalicious.confirmed

Packages confirmed as malicious by security researchers

knownMalicious.typosquatting

Typosquatting variants of popular packages

knownMalicious.credentialTheft

Token and credential stealers

knownMalicious.cryptoMalware

Crypto mining packages

campaigns

Coordinated attack campaigns with affected versions

trustedPackages

Allowlist of known-safe packages

Update the database instantly:

Edit security/compromised-packages.json β†’ Rerun scan

No waiting for third-party database updates. Your database, your control.

Why This Scanner?

Built for speed, simplicity, and real-world threats

Zero Dependencies

Pure Node.js implementation. No external packages to worry aboutβ€”no dependency inception problem.

Instant Updates

Edit a JSON file to add new threats. No waiting for CVE databases or third-party services.

Works Offline

No API calls, no rate limits, no internet required. Perfect for air-gapped environments.

Comparison with Other Tools

Feature This Scanner npm audit Snyk
Works Offline βœ“ βœ— βœ—
Zero Dependencies βœ“ βœ“ βœ—
Supply Chain Attacks βœ“ βœ— Partial
Instant Database Updates βœ“ βœ— βœ—
Free Forever βœ“ βœ“ Limited

Protect Your Projects Today

One command. Zero configuration. Instant protection against npm supply chain attacks.

npx @araptus/npm-security-scanner
Get on npm Star on GitHub Read the Blog Post

Insights from Araptus: Our Blog

Discover new experience of web development.

Latest from Our Blog

How I Built a Business Brain in Obsidian β€” And Now Deploy It for Clients

The exact folder structure, modules, and workflows I use to run a 40+ client agency from an Obsidian vault. No plugins required. No SaaS subscriptions. Just markdown files that compound over time.

By Kris Black β€’ 5/12/2026
Read More

Terminal-First: How I Build 60+ Client Ecosystems From Warp

I spend most of my time in Warp terminal with Claude Code. Not clicking through UIs. Not switching between 12 apps. Building custom tooling that reduces token usage and makes every interaction count.

By Kris Black β€’ 5/12/2026
Read More

The Most Powerful AI Tool Is a Folder

You don't need LangGraph, CrewAI, or a multi-agent harness. The most powerful AI tool is already on your computer β€” it's Claude Code, a bunch of folders, and markdown files. Here's how we use it to build entire business ecosystems.

By Kris Black β€’ 5/12/2026
Read More

Nate B. Jones' AI Predictions for 2026: How I'm Liberating Small Businesses with Highlander

Discover how Nate B. Jones' groundbreaking AI predictions are shaping how I retool every client with Highlander, training small businesses to master AI, detect hallucinations, and build authentic brands.

By Kris Black β€’ 1/24/2026
Read More
View All Posts

You Want This!

Transform Your Business Today

Get started with enterprise-grade development solutions.

Or schedule a call: Book a Consultation
24hr Response
Free Consultation
Enterprise Grade
npm Security Scanner | Araptus Open Source