🛡 NPM Safety Guard

Built by SendWaveHub — SaaS tools for developers

Stops malicious npm packages, supply chain attacks, CVEs, phantom dependencies, and unmaintained packages before npm install ever runs. 26 detection layers, zero signup, offline-capable.

$ code --install-extension Sendwavehubtech.npm-safety-guard

Or open the Extensions sidebar and search "NPM Safety Guard".

Why

The npm ecosystem ships ~1 supply chain attack per week (Shai-Hulud worm, Axios DPRK RAT, Lazarus/Marstech, event-stream). Most discovery happens after developers have already run npm install. NPM Safety Guard catches them at the moment you open package.json.

What it catches

Automatic layers (run on every save)

Layer	Icon	Catches
Bundled malware DB	🔴	Curated supply-chain attacks: Shai-Hulud, Axios DPRK RAT, Lazarus, event-stream, node-ipc
Remote malware feed	🔴	Community-maintained additions, refreshed every 24h — no extension update needed
OSV.dev CVE scan	🔵	Every known CVE in the npm ecosystem, with fix versions
Install-script audit	🟡	Packages with `preinstall` / `postinstall` / `install` hooks — the #1 supply-chain vector
Typosquat + homoglyph + AI hallucination	🟣	`axioss → axios`, `rеact` (Cyrillic 'е') — Damerau-Levenshtein vs top-package list; also flags AI-hallucinated names like `react-hooks`, `express-middleware`, `webpack-bundler` that attackers register to catch developers copy-pasting AI-generated `npm install` commands
Dependency confusion	🔶	Scoped packages where a public-registry clone is version-inflated or freshly planted
Overrides / resolutions CVE	🔷	Teams that pin transitive deps in `overrides` to silence audits sometimes pin to a still-vulnerable version
Deprecated packages	🚫	Packages npm has officially marked deprecated — they accumulate unpatched CVEs silently
Unmaintained packages	⏰	Latest publish > 24 months ago (configurable) — abandoned packages rarely get security patches
Phantom dependencies	👻	Packages `import`ed in your `.ts`/`.js` source files but missing from `package.json` — relying on an undeclared transitive dep that could disappear or be hijacked
AI Config Guard	🛡️	Installed packages whose JS code reads, writes, or exfiltrates AI assistant credentials — Claude Code (`~/.claude/`), Cursor, Copilot, 1Password CLI, OpenAI keys. Catches the Nx Console v18.95.0 attack pattern (GHSA-c9j4-9m59-847w).

On-demand layers (run via command)

Layer	Icon	Catches
Deep tarball AST scan	🔬	`eval`, `new Function`, base64 blobs, `String.fromCharCode` reconstruction, split-file payloads
Lockfile walk	📋	Transitive compromises hidden in resolved dep tree (e.g. `flatmap-stream` via `event-stream`) — supports `package-lock.json`, `yarn.lock`, and `pnpm-lock.yaml` (v5/v6/v9)
Risk heuristics	📊	0–100 score: package age, maintainer count, download velocity, size anomaly
ReversingLabs deep scan	🟠	Binary tampering + malware analysis (free token at secure.software)
License compliance	⚖	GPL / AGPL / LGPL / unlicensed packages — opt-in, configurable deny-list
OSSF Scorecard	🏆	OpenSSF security hygiene score per package (branch protection, signed releases, CI fuzzing) — opt-in, free API
Socket.dev supply chain	🔌	Maintainer reputation, suspicious network access, obfuscated code — opt-in, free token required
npm Provenance	🔏	Verifies sigstore-signed provenance attestations (npm 9+) — shows source repo + commit for packages that have them; flags new packages published without attestation
Upgrade Diff	🔍	Downloads old and new tarballs when a version bumps and flags security patterns newly introduced in the upgrade — catches attackers that slip malicious code into patch releases
Supply Chain Graph	⛓	Force-directed interactive graph of the full dependency tree — nodes colored by risk level, risky edges highlighted red, hover tooltips, pan/zoom/drag, search filter

Real attacks covered out of the box

Package	Versions	Campaign
`axios`	1.14.1, 0.30.4	🔴 Sapphire Sleet (DPRK) RAT, Mar 2026
`plain-crypto-js`	4.2.1	🔴 RAT dropper (WAVESHAPER.V2)
`@shadanai/openclaw`	2026.3.x	🔴 Axios campaign vector
`@qqbrowser/openclaw-qbot`	0.0.130	🔴 Axios campaign vector
`@ctrl/tinycolor`	4.1.1, 4.1.2	🔴 Shai-Hulud worm, Sept 2025
`rxnt-authentication`	all	🔴 Shai-Hulud worm propagation
`ngx-toastr`	19.0.1, 19.0.2	🔴 Shai-Hulud 2.0 (preinstall), Nov 2025
`bigmathutils`	all	🔴 Lazarus / Marstech Mayhem (DPRK)
`event-stream`	3.3.6	🟠 Crypto wallet theft (2018)
`node-ipc`	10.1.1–11.0.0	🟠 Protestware (2022)

Plus every CVE in the npm ecosystem via OSV.dev — and the community feed grows without extension updates.

How it looks in your editor

Open any package.json. Within ~1 second you see:

🔴 Red highlight — known-malicious packages
🟣 Purple highlight — typosquats / homoglyphs (axioss, rеact with Cyrillic 'е')
🤖 Info diagnostic — AI-hallucinated names (react-hooks, express-middleware) flagged with the real package to use instead
🟡 Gold dashed — packages with install hooks
🔵 Blue highlight — packages with active CVEs (hover shows fix version and advisory IDs)
🚫 Deprecated / ⏰ Unmaintained — diagnostics in the Problems panel
👻 Phantom deps — imports in source files that aren't in package.json
📌 Status bar shield — total threat count; click to open the Security Report

Hover any flagged line for the full report — CVE IDs, advisory links, fix commands, and a direct Verify on npmjs.com link.

Click the 💡 lightbulb (or Cmd+. / Ctrl+.) on any flagged line for one-click fixes.

Quick-fix actions (lightbulb / `Cmd+.`)

Trigger	Available fixes
CVE diagnostic	⬆ Pin to fix version · ⚡ Fix all CVEs in file · 🔍 Review & pick fixes · ⬆ Fix in all workspace files · 🔕 Suppress advisory
No npm patch (e.g. `xlsx`)	📖 View mitigation guide with concrete steps and alternative package
Typosquat / AI hallucination	✏ Replace with correct name · ➕ Add to whitelist (false positive)
Install script	➕ Add to script whitelist
Malware	🛡 Pin to safe version · 🗑 Remove dependency

Security Report

Run NPM Safety Guard: Show Security Report to open the full findings panel. It:

Scans every package.json in the workspace (including monorepo packages)
Deduplicates findings — one card per package, not per file
Shows Found in N files expandable list for monorepo packages
Provides inline Fix, Suppress, and Whitelist buttons that apply changes and auto-refresh the report
Shows amber No npm patch banners for packages like xlsx with expandable mitigation steps

Commands

Open the command palette (Ctrl+Shift+P / Cmd+Shift+P) and type "NPM Safety Guard":

Command	What it does
Scan package.json Now	Re-run all auto-scan layers on the active file
Show Security Report	Open full security findings webview (all workspace files)
Fix All CVEs in This File	Pin every CVE-affected package to its fix version in one step
Fix All CVEs in Workspace	Same — applied across every `package.json`
Review & Pick CVE Fixes	Multi-select which CVEs to fix before applying
Pin Package to Fix Version in All Workspace Files	Fix one package across all files
Scan with OSV.dev	Force-refresh CVE results
Audit Install Scripts	Force-refresh install-hook check
Refresh Malware Database	Pull the latest community feed now
Check Typosquats / Homoglyphs	Force-refresh name-similarity check
Check Dependency Confusion	Scoped packages vs public npm registry
Check Deprecated Packages	Flag packages npm has marked deprecated
Check Unmaintained Packages	Flag packages with no release in >24 months
Check Phantom Dependencies	Imports in source files missing from package.json
Check License Compliance	Flag GPL / AGPL / unlicensed packages
Check OSSF Scorecard	OpenSSF security hygiene score per package
Check Socket.dev Supply Chain Risk	Supply chain risk signals (requires token)
Compute Risk Heuristics	0–100 risk score: age / maintainers / downloads / size
Deep Scan All Dependencies	Tarball download + AST scan, opens detailed webview
Scan Lockfile	Walk `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml`, check every transitive dep
Check ReversingLabs	Premium binary + malware analysis (needs free token)
Suppress Advisory	Acknowledge a CVE risk and silence it from future scans
Show Mitigation Guide	Concrete steps for packages with no npm patch (e.g. `xlsx`)
Check npm Provenance Attestations	Verify sigstore provenance for all deps; shows source repo + CI run for verified packages
Diff Package Upgrade	Fetch old + new tarball, diff JS/TS files, surface newly introduced malicious patterns
Show Supply Chain Graph	Interactive force-directed graph of the full dep tree — risk-colored nodes, red attack-path edges, hover tooltips, pan/zoom/drag

Settings

Core

Setting	Default	Description
`npmSafetyGuard.enableAutoScan`	`true`	Scan on open and save
`npmSafetyGuard.showInlineDecorations`	`true`	Inline highlights in `package.json`
`npmSafetyGuard.enableRemoteDb`	`true`	Pull community malware feed every 24h
`npmSafetyGuard.remoteDbUrl`	blank	Override the community feed URL

CVE scanning

Setting	Default	Description
`npmSafetyGuard.enableOSV`	`true`	CVE scan via OSV.dev (free, no key)
`npmSafetyGuard.suppressedAdvisories`	`[]`	Advisory IDs (GHSA / CVE) to silence — use the 🔕 Suppress quick fix to populate

Install scripts

Setting	Default	Description
`npmSafetyGuard.enableScriptCheck`	`true`	Audit deps for `preinstall`/`postinstall` hooks
`npmSafetyGuard.scriptWhitelist`	`[]`	Extra packages to exclude from install-script warnings
`npmSafetyGuard.flagPrepareHooks`	`false`	Also flag `prepare` hooks (only risky for git-URL installs)

Typosquat

Setting	Default	Description
`npmSafetyGuard.enableTyposquat`	`true`	Name-similarity + homoglyph detection
`npmSafetyGuard.typosquatWhitelist`	`[]`	Packages excluded from typosquat checks (false positives)

Dependency confusion & overrides

Setting	Default	Description
`npmSafetyGuard.enableConfusionCheck`	`true`	Detect scoped-package confusion attacks
`npmSafetyGuard.enableOverridesCheck`	`true`	Scan `overrides`/`resolutions` blocks for CVE-vulnerable pins

Deprecated & unmaintained

Setting	Default	Description
`npmSafetyGuard.enableDeprecatedCheck`	`true`	Flag packages marked deprecated on npm
`npmSafetyGuard.enableUnmaintainedCheck`	`true`	Flag packages with no release in a long time
`npmSafetyGuard.unmaintainedMonths`	`24`	Months since last publish before flagging as unmaintained

Phantom dependencies

Setting	Default	Description
`npmSafetyGuard.enablePhantomCheck`	`true`	Detect imports in source files not declared in `package.json`

License compliance

Setting	Default	Description
`npmSafetyGuard.enableLicenseCheck`	`false`	Flag packages matching the deny-list (opt-in — context-dependent)
`npmSafetyGuard.licenseDenyList`	`["GPL-2.0", "GPL-3.0", "AGPL-3.0", "LGPL-2.1", "LGPL-3.0", …]`	SPDX license identifiers to flag; also flags `UNLICENSED` packages

OSSF Scorecard

Setting	Default	Description
`npmSafetyGuard.enableOSSFCheck`	`false`	Query OpenSSF Scorecard API for security hygiene scores (opt-in, free)
`npmSafetyGuard.ossfScoreThreshold`	`4.0`	Flag packages scoring below this threshold (0–10)

Socket.dev

Setting	Default	Description
`npmSafetyGuard.enableSocketCheck`	`false`	Query Socket.dev API for supply chain risk (opt-in, requires token)
`npmSafetyGuard.socketToken`	blank	Socket.dev API token — create a free account to get one
`npmSafetyGuard.socketRiskThreshold`	`0.5`	Flag packages with supply chain risk score below this (0–1)

npm Provenance

Setting	Default	Description
`npmSafetyGuard.enableProvenanceCheck`	`true`	Check npm provenance attestations (sigstore) — verifies packages published via npm 9+ have a signed link to their source repo and CI run

ReversingLabs

Setting	Default	Description
`npmSafetyGuard.rlToken`	blank	ReversingLabs Spectra Assure token (free at secure.software)

AI Config Guard

On May 18 2026, the nrwl.angular-console v18.95.0 VS Code extension was published with a credential stealer that read ~/.claude/settings.json (Anthropic Claude Code), OP_SESSION_* (1Password CLI), and exfiltrated the data via DNS tunneling. The same week, five npm packages shipped hidden ELF binaries that backdoored Claude Code sessions.

AI Config Guard is a dedicated detection layer that scans your installed node_modules for code matching these attack patterns. Legitimate packages have no reason to touch AI assistant configuration files — any match is presumptively suspicious.

What it detects

Signature	Severity	Catches
`ANTH-CLAUDE-CONFIG-READ`	high	Reads of `~/.claude/settings.json`, `.claude/credentials`
`ANTH-CLAUDE-CONFIG-WRITE`	critical	Writes to `~/.claude/` — settings hijacking
`OPENAI-API-KEY-FILE`	high	Reads of `~/.openai/auth.json`
`CURSOR-CONFIG-READ`	high	Reads of `~/.cursor/`, `Cursor/User/globalStorage`
`COPILOT-TOKEN-READ`	high	Reads of GitHub Copilot token storage
`ONEPASSWORD-CLI-SESSION`	high	`OP_SESSION_*` env reads, `op signin` invocations
`AWS-SHARED-CREDENTIALS`	medium	`~/.aws/credentials` reads from non-AWS-SDK code
`GITHUB-TOKEN-NPMRC`	medium	`.npmrc` reads looking for `_authToken`
`SSH-PRIVATE-KEY-READ`	high	Reads of `~/.ssh/id_*` private keys
`NPX-ORPHAN-COMMIT`	critical	`npx -y github:owner/repo#<40-hex-sha>` — the exact Nx Console MO
`BUN-RUNTIME-AUTOINSTALL`	high	Bun auto-installed during activation (Nx Console sandbox bypass)
`DNS-TUNNEL-EXFIL`	critical	DNS TXT lookups encoding base64 payloads — covert exfiltration channel
`LAUNCHAGENT-PERSIST`	high	Writes to `~/Library/LaunchAgents/` — macOS persistence backdoor

What it does not do

Not antivirus. It uses regex pattern matching — it cannot catch obfuscated payloads that are more than one step removed from the literal patterns.
False positives are expected. Some legitimate packages (DNS libraries, cloud SDKs) may produce warnings. Use the suppression mechanism to acknowledge false positives.
Does not block or uninstall. This is detection-only. Remove the package manually if a finding is confirmed.

How to suppress a false positive

Add the package name to your project's .vscode/settings.json:

{
  "npmSafetyGuard.suppressedAdvisories": ["my-safe-package"]
}

How to contribute new signatures

Signatures live in src/scanners/signatures/aiConfigTargets.json. Each entry is a JSON object with id, name, description, severity, category, patterns.contentRegex, and references. Open a PR — no TypeScript required.

Settings

Setting	Default	Description
`npmSafetyGuard.enableAiConfigGuard`	`true`	Enable/disable the entire AI Config Guard layer
`npmSafetyGuard.aiConfigSeverityThreshold`	`"medium"`	Minimum severity to report (`low`/`medium`/`high`/`critical`)

Privacy

Layer	Data sent	Destination
Bundled DB, typosquat, lockfile, AI Config Guard	nothing	fully offline
OSV.dev CVE scan	`<name>@<version>` per dep	`api.osv.dev` (HTTPS)
Remote malware feed	plain GET request	`raw.githubusercontent.com`
Install-script audit, deprecated, unmaintained, license, phantom	`<name>` per dep	`registry.npmjs.org` (same as `npm install`)
Risk heuristics	`<name>` per dep	`registry.npmjs.org`, `api.npmjs.org`
Deep tarball scanner	downloads `.tgz` artifacts	`registry.npmjs.org`
OSSF Scorecard	repo path extracted from npm metadata	`api.securityscorecards.dev`
Socket.dev	`<name>@<version>` + your API token	`api.socket.dev` (opt-in, token required)
ReversingLabs	`<name>@<version>` + your API token	`secure.software` (opt-in, token required)
npm Provenance	`<name>@<version>` per dep	`registry.npmjs.org/-/npm/v1/attestations/` (same host as install)
Upgrade Diff	downloads two `.tgz` artifacts	`registry.npmjs.org` (same as `npm install`)

All network calls are fail-open — if a service is unreachable, every other layer continues working. No telemetry is collected by this extension.

Reporting a new malicious package

Edit db/malicious-packages.json on GitHub
Open a PR
Once merged, every install picks it up within 24h — no extension update needed

Credits

CVE data from OSV.dev (Google)
Security hygiene scores from OpenSSF Scorecard
Supply chain risk signals from Socket.dev
Premium deep scan via ReversingLabs Spectra Assure
Inspired by Aikido Safe Chain and OSSF malicious-packages

Support development

If NPM Safety Guard saves you from a supply-chain attack, consider supporting its maintenance:

About

Maintained by SendWaveHub. Check out our other developer tools at sendwavehub.tech.

Found this useful? ⭐ the GitHub repo and leave a review on the Marketplace.

NPM Safety Guard

Sendwavehub

🛡 NPM Safety Guard

Why

What it catches

Automatic layers (run on every save)

On-demand layers (run via command)

Real attacks covered out of the box

How it looks in your editor

Quick-fix actions (lightbulb / Cmd+.)

Security Report

Commands

Settings

Core

CVE scanning

Install scripts

Typosquat

Dependency confusion & overrides

Deprecated & unmaintained

Phantom dependencies

License compliance

OSSF Scorecard

Socket.dev

npm Provenance

ReversingLabs

AI Config Guard

What it detects

What it does not do

How to suppress a false positive

How to contribute new signatures

Settings

Privacy

Reporting a new malicious package

Credits

Support development

About

Quick-fix actions (lightbulb / `Cmd+.`)