npm-scan

Monitors newly published npm package versions and flags publishes that introduce a preinstall or postinstall script. These lifecycle scripts can pose security risks, as they execute automatically during package installation and may be introduced in updates without users noticing.

The tool uses npm's replicate database (replicate.npmjs.com) to track changes, then fetches full package metadata from the registry to compare scripts between versions.

Hall of Fame

Malicious packages are screened and reported by myself. This project has led to the following results between January 18th and January 20th, 2026:

24 packages have been reported
24 packages has been removed

Including at least 6 instances of live malware:

Author

Daniel Lockyer hi@daniellockyer.com

GitHub Sponsors

License

This project is licensed under the MIT License - see the LICENSE file for details.

Name		Name	Last commit message	Last commit date
Latest commit History 70 Commits
.github		.github
src		src
.gitignore		.gitignore
.tool-versions		.tool-versions
LICENSE		LICENSE
README.md		README.md
ecosystem.config.cjs		ecosystem.config.cjs
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

npm-scan

Hall of Fame

Author

License

About

Uh oh!

Sponsor this project

Uh oh!

Contributors 2

Uh oh!

Languages

Uh oh!

License

daniellockyer/npm-scan

Folders and files

Latest commit

History

Repository files navigation

npm-scan

Hall of Fame

Author

License

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Sponsor this project

Uh oh!

Contributors 2

Uh oh!

Languages