⬣ Seerpack — Trust No Package
X-ray vision for npm. The first line of defense in your node_modules.
Seerpack is a VS Code extension that scans every npm dependency for typosquatting, malicious scripts, suspicious maintainers, and supply chain threats — assigning a Trust Score from 0 to 100 for every package.
Built by Seerror — India's Digital RAW.
The Problem
npm has a massive supply chain security crisis:
- Typosquatting: Attackers publish packages like
lodsah, expresss, reactt that steal your env vars
- Malicious postinstall scripts: Packages that
curl your .env, .ssh, and API keys to remote servers
- Account takeovers: Legitimate packages get bought/hijacked and pushed with malicious code
- Phantom dependencies: Packages with 200+ transitive dependencies you never audited
You install one package. You trust hundreds. Seerpack makes sure that trust is earned.
Features
🔍 Trust Score (0-100)
Every dependency gets a weighted trust score across 6 dimensions:
- Popularity & Adoption (25%) — download counts, community size
- Maintainer Quality (15%) — team size, contact info, bus factor
- Code Transparency (15%) — public repo, license, description
- Script Safety (20%) — postinstall analysis, network calls, env access
- Supply Chain (15%) — dependency depth, deprecation status
- Age & Stability (10%) — creation date, version count, update recency
🎯 Typosquat Detection
Catches 6 types of name manipulation:
- Single/double character edits (
lodsah → lodash)
- Character transposition (
exrpess → express)
- Separator swaps (
react_dom → react-dom)
- Prefix/suffix injection (
js-lodash, express-js)
- Character repetition (
expresss → express)
- Scope impersonation
⚡ Script Analyzer
Scans postinstall/preinstall scripts for 30+ malicious patterns:
- Network exfiltration (
curl, wget, webhooks)
- SSH/API key theft (
.ssh, AWS_SECRET, GITHUB_TOKEN)
- Browser data access (cookies, local storage)
- Code obfuscation (
eval(), Buffer.from(base64), hex encoding)
- Crypto mining indicators
- Process spawning and shell commands
📊 Trust Dashboard
Rich webview dashboard showing:
- All packages sorted by risk
- Per-package trust breakdown
- Risk findings with severity badges
- Download counts, dependency depth, maintainer info
🔔 Inline Warnings
See warnings directly in your package.json:
- Red squiggles for dangerous packages (score < 30)
- Yellow warnings for suspicious packages (30-50)
- Info hints for moderate risk (50-70)
Activity bar with three views:
- Trust Overview — packages grouped by trust level
- Alerts — all active warnings sorted by severity
- Recent Scans — scan history
Commands
| Command |
Shortcut |
Description |
Seerpack: Scan All Dependencies |
Ctrl+Shift+S |
Scan every dependency in package.json |
Seerpack: Scan Single Package |
— |
Scan one package by name |
Seerpack: Open Trust Dashboard |
— |
Open the rich dashboard view |
Seerpack: Scan Before Install |
— |
Pre-install safety check |
Settings
| Setting |
Default |
Description |
seerpack.autoScanOnOpen |
true |
Auto-scan when package.json opens |
seerpack.trustThreshold |
40 |
Score below this triggers warnings |
seerpack.showInlineWarnings |
true |
Show warnings in package.json |
seerpack.scanDevDependencies |
true |
Include devDependencies |
seerpack.checkPostInstallScripts |
true |
Flag suspicious lifecycle scripts |
How It Works
- Reads your
package.json — extracts all dependencies
- Fetches npm registry metadata — download counts, maintainers, scripts, dates
- Runs 6 analysis engines — typosquatting, scripts, popularity, transparency, supply chain, stability
- Calculates weighted trust score — 0 to 100 with risk penalties
- Shows results — inline diagnostics, sidebar, dashboard
No data leaves your machine except npm registry API calls (same as npm install does).
Installation
From VS Code Marketplace
Search "Seerpack" in the Extensions panel (Ctrl+Shift+X).
From VSIX
code --install-extension seerpack-1.0.0.vsix
Build from source
git clone https://github.com/Seerror-Technologies/seerpack.git
cd seerpack
npm install
npm run compile
Privacy
How the extension handles data: privacy.html (also bundled in this repo for the landing site).
About Seerror Technologies
Seerror Technologies on GitHub — open-source and product work from the Seerror ecosystem.
Seerror is an AI-powered cybersecurity and privacy company founded by Jay Tiwari (copycode69) in Bengaluru, India.
Products: Seerror (website auditor) · Seerraze (Discord cleaner) · Seerguard (extension scanner) · Seerrveil (photo privacy) · Seerie (offline AI) · Seerpack (npm scanner)
Website: seerror.com
Twitter / X: @seerrorX
Discord: discord.gg/zV9NDsV6
"Trust no package."
Built for humans. Against the machine.
