npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@jxrstudios/pest-control

v1.1.9

Published

Emergency tool to remove the ansi-regex malware and related compromised npm packages

Downloads

6

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nectrafinectrafi

Keywords

securitymalwarenpmsupply-chainansi-regexemergency

Readme

██████╗ ███████╗███████╗████████╗     ██████╗██████╗ ██████╗ 
██╔══██╗██╔════╝██╔════╝╚══██╔══╝    ██╔════╝██╔══██╗██╔══██╗
██████╔╝█████╗  ███████╗   ██║       ██║     ██████╔╝██████╔╝
██╔═══╝ ██╔══╝  ╚════██║   ██║       ██║     ██╔══██╗██╔═══╝ 
██║     ███████╗███████║   ██║       ╚██████╗██║  ██║██║     
╚═╝     ╚══════╝╚══════╝   ╚═╝        ╚═════╝╚═╝  ╚═╝╚═╝     

💀 NPM Malware Extermination Tool v1.1.6
BATTLE-TESTED • ENTERPRISE-GRADE • BOT-RESISTANT
AUTHENTIC SECURITY TOOL - VERIFIED INTEGRITY

Version License Stars Issues Downloads Build Status

Pest Control - Emergency NPM Malware Exterminator

A zero-dependency, cross-platform CLI to exterminate the ansi-regex supply-chain attack and related variants.

🚀 Installation

Using npx (Recommended)

# Run this in your project root. It does everything.
npx @jxrstudios/pest-control

Install from GitHub Packages

  1. Create a GitHub Personal Access Token with read:packages scope
  2. Add the following to your ~/.npmrc:
    @jxrstudios:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=YOUR_GITHUB_TOKEN
  3. Install the package:
    npm install @jxrstudios/pest-control
  4. Run the tool:
    npx pest-control

🔥 The Crisis

WARNING: The npm ecosystem is under attack! Malicious versions of widely-used color utilities have been detected:

| Package | Status | Impact | |---------|--------|--------| | ansi-regex | ⚠️ Compromised | Critical | | ansi-styles | ⚠️ Compromised | Critical | | color-name | ⚠️ At Risk | High | | color-convert | ⚠️ At Risk | High | | color-string | ⚠️ At Risk | High |

💡 Note: These packages are used by thousands of projects and their dependencies. Even if you don't use them directly, your project might be at risk!

These exfiltrate secrets (env vars, CI tokens) and can persist via nested deps and lockfiles.

🛡️ 8-Phase Security Protocol

1. 🔍 SCAN

Comprehensive deep scan with strict version verification
Scans node_modules (including nested dependencies) for known malicious packages and suspicious patterns.

2. 💀 EXTERMINATE

Removal of detected threats
Automatically uninstalls all identified malicious packages and their variants.

3. 🔥 FIRE BLAZE

Complete node_modules purge
Nuclear option: Removes the entire node_modules directory to ensure no traces remain.

4. 🥚 COCKROACH EGGS

Lockfile annihilation
Removes all lockfiles to prevent dependency confusion attacks:

  • package-lock.json
  • yarn.lock
  • pnpm-lock.yaml
  • npm-shrinkwrap.json

5. 🛡️ SHIELD

Proactive protection
Applies version overrides in package.json based on your package manager:

{
  "overrides": {
    "ansi-regex": "^6.0.1",
    "ansi-styles": "^6.2.1"
  }
}
  • npm: Uses overrides
  • Yarn: Uses resolutions
  • pnpm: Uses pnpm.overrides

6. 🔄 REBUILD

Secure dependency installation
Reinstalls all dependencies with visual progress indicators and blacklisting of known malicious packages.

7. ✅ VERIFY

Final security audit
Performs a final scan to ensure all threats are eliminated and provides a detailed security report.

8. 📜 CERTIFY

Documentation and verification
Generates a SECURITY_CERTIFICATE.txt with:

  • Scan results
  • Actions taken
  • Recommended next steps
  • Package manager specific lockfile

🚦 Usage

Basic Usage

# Run with default settings
npx @jxrstudios/pest-control

Advanced Options

# Run in dry-run mode (shows what would be done without making changes)
npx @jxrstudios/pest-control --dry-run

# Skip interactive prompts (useful for CI/CD)
npx @jxrstudios/pest-control --yes

# Set custom output directory for logs and certificates
npx @jxrstudios/pest-control --output ./security-audit

CI/CD Integration

# Example GitHub Actions Workflow
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '18.x'
      - name: Run Pest Control
        run: npx @jxrstudios/pest-control --yes

💡 Tip: The tool runs fully unattended with real-time progress indicators and phase labels, ensuring it never appears frozen.

🟢 When Nothing Is Detected

You’ll see “No malware detected.” Pest Control still performs full cleanup (including precautionary lockfile removal and secure reinstall) to eliminate any chance of undetected persistence.

Enforcement Across Package Managers

  • npm — package.json#overrides and a gated preinstall that runs npm-force-resolutions only for npm
  • Yarn — package.json#resolutions is added so Yarn enforces the same safe versions
  • pnpm — package.json#pnpm.overrides pins safe versions
  • After success, the lockfile is regenerated for your detected package manager

Certification Outputs

  • package.json: a pestControl block with certificate ID, timestamp, and status
  • package-lock.json: a pestControl block reflecting enforced safe versions (npm)
  • SECURITY_CERTIFICATE.txt: human-readable certificate summary

Why Trust This?

  • Zero Dependencies — Native Node.js only
  • Transparent — Simple, readable code
  • Safe Defaults — Focused file ops with clear logs and backups via lockfile regen

Resources

  • Official advisory: https://github.com/advisories/GHSA-jvhh-2m83-6w29
  • Socket.dev blog: https://socket.dev/blog/ansi-regex-malware

Community-driven. Use at your own risk. Issues and PRs welcome.

Key Features

  • Lightning-fast, zero-dependency Node.js CLI (no install required via npx)
  • Full 8-phase cleanup for ansi-regex and related supply-chain malware
  • Cross-PM enforcement: npm overrides, Yarn resolutions, pnpm pnpm.overrides
  • npm-only preinstall guard: npx --yes npm-force-resolutions (auto-skips Yarn/pnpm)
  • Precautionary lockfile removal + PM-aware lockfile regeneration
  • Persistent spinners with phase labels so the CLI never looks frozen
  • Final certification: SECURITY_CERTIFICATE.txt and metadata in JSON files
  • Windows, macOS, and Linux support (CMD/PowerShell/Bash)

Supported Package Managers & Platforms

  • npm (overrides, gated preinstall guard, package-lock regeneration)
  • Yarn (resolutions, yarn.lock re-resolution)
  • pnpm (pnpm.overrides, pnpm-lock.yaml regeneration)
  • Operating systems: Windows, macOS, Linux

CI/CD Integration

Add a pre-step to run Pest Control in your pipeline before install/build:

steps:
  - name: Pest Control - Exterminate supply chain malware
    run: npx @jxrstudios/pest-control

For npm users, the tool also injects a gated preinstall script that runs npm-force-resolutions only when the user agent is npm, ensuring lockfile alignment prior to npm install.

Troubleshooting

  • Spinner looks static in logs: spinners update the same line; the CLI is active. You can increase verbosity by running in a local terminal.
  • Lockfile regen fails (missing PM): The tool continues and logs a warning. Install the respective PM and rerun Pest Control.
  • "Unknown version" warnings: The package is not in the known safe/malware list; overrides keep you safe, but consider auditing that package.

FAQ

  • Does this delete my code?
    No. It deletes node_modules and lockfiles, then applies safe overrides/resolutions, and performs a clean reinstall.

  • Why remove lockfiles even when nothing is detected?
    Lockfiles can preserve hidden dependency trees. We remove them as a precaution and then regenerate with shields enforced.

  • Will this break Yarn or pnpm?
    No. The npm preinstall guard is gated to npm user agents. Yarn/pnpm users get native enforcement via resolutions/pnpm.overrides without the preinstall step.

  • Can I run it on CI safely?
    Yes. It is zero-dependency and uses native Node modules. Add npx pest-control before your install.

Source URL Enforcement (Optional)

Pest Control can verify its source repository via a signed JWT before running. This helps ensure you’re using the authentic tool.

Environment variables (kept in .env.local, which is already gitignored):

  • GITHUB_REPO_URL — expected GitHub repo URL
  • JWT_SECRET — your secret key (do not commit it)
  • SOURCE_JWT — signed JWT token

Validated claims (HS256): repo, owner, domain, with optional exp/nbf.

Security note: Do not paste token-generation commands or secrets into the README. Keep .env files private.

Keywords (SEO)

ansi-regex malware removal, npm supply chain attack cleanup, remove malicious npm package, npm overrides safe versions, Yarn resolutions security, pnpm overrides malware, delete lockfile package-lock yarn.lock pnpm-lock, node_modules cleanup, npx security tool, Windows macOS Linux CLI, npm-force-resolutions preinstall, secure reinstall, malware exfiltration prevention