npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

contrastapi

v1.5.0

Published

Official Node.js SDK for ContrastAPI — security intelligence for developers and AI agents

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

contrast_cybercontrast_cyber

Keywords

securitycvekevcweatlasd3fendmitreattackvulnerabilitydomaindnswhoissslthreat-intelligencemcposintapiai-security

Readme

ContrastAPI Node.js SDK

Official Node.js SDK for ContrastAPI — security intelligence for developers and AI agents.

Zero dependencies. Works with Node.js 14+.

Install

npm install contrastapi

Quick Start

const ContrastAPI = require("contrastapi");
const api = ContrastAPI();

async function main() {
  // Domain intelligence
  const report = await api.domain.report("example.com");

  // CVE lookup
  const cve = await api.cve.lookup("CVE-2024-3094");

  // SSL certificate check
  const ssl = await api.domain.ssl("example.com");

  // Scan HTTP security headers (live)
  const headers = await api.scan.headers("example.com");

  // Check code for secrets
  const secrets = await api.check.secrets("const key = 'AKIA...'", "javascript");
}

main();

With API Key (Pro)

const api = ContrastAPI({ apiKey: "your-api-key" });

All Methods

Credit Costs

Most endpoints cost 1 credit. Heavy orchestration endpoints cost more:

| Endpoint | Cost | | --- | --- | | domain.audit() | 4× | | ip.threatReport() | 4× | | cve.bulk([...]) | N× (per item) | | ioc.bulk([...]) | N× (per item) |

Bulk endpoints: free tier up to 10 items per call, Pro tier up to 50. Free tier: 30 credits/hour. Pro tier: 500 credits/hour.

Domain Intelligence

api.domain.report("example.com")           // Full domain report
api.domain.report("example.com", {lite: true}) // Fast lite report
api.domain.dns("example.com")              // DNS records
api.domain.whois("example.com")            // WHOIS data
api.domain.subdomains("example.com")       // Subdomain enumeration
api.domain.certs("example.com")            // Certificate transparency
api.domain.ssl("example.com")              // SSL/TLS analysis
api.domain.tech("example.com")             // Technology fingerprint
api.domain.threat("example.com")           // Threat intelligence
api.domain.monitor("example.com")          // Domain monitoring
api.domain.vulns("example.com")            // Known vulnerabilities
api.domain.bulk(["a.com", "b.com"])        // Bulk domain reports
api.domain.audit("example.com")            // Full audit (report + tech + headers) — 4 credits
api.domain.robots("example.com")           // v1.5.0: robots.txt parser
api.domain.redirect("https://bit.ly/3xyz") // v1.5.0: redirect-chain walker
api.domain.brand("example.com")            // v1.5.0: brand assets (favicon/logo/OG)
api.domain.seo("example.com")              // v1.5.0: SEO audit

IP & ASN

api.ip.lookup("8.8.8.8")                   // IP intelligence
api.ip.threatReport("8.8.8.8")             // Threat report (AbuseIPDB + Shodan + ASN) — 4 credits
api.asn.lookup("google.com")               // ASN lookup

CVE Intelligence

api.cve.lookup("CVE-2024-3094")            // Single CVE — full record
api.cve.search({product: "apache", severity: "critical"})
api.cve.leading({limit: 50})               // Fresh CVEs from MITRE/GHSA before NVD enrichment
api.cve.kev("CVE-2021-44228")              // CISA KEV detail (404 if not in catalog)
api.cve.exploit("CVE-2024-3094")           // Public exploits + advisories
api.cve.bulk(["CVE-2024-3094", "CVE-2021-44228"])  // Bulk CVE lookup — N credits

CWE (MITRE Weakness Catalog)

api.cwe.lookup("CWE-79")                   // CWE detail (description, mitigations, CVE count)

MITRE ATLAS (AI/ML Attack Catalog)

api.atlas.technique("AML.T0043")           // ATLAS technique detail
api.atlas.techniqueSearch({keyword: "prompt", tactic: "AML.TA0011", limit: 20})
api.atlas.bulkTechniqueLookup(["AML.T0051", "AML.T0043"])  // v1.4.0: bulk drill
api.atlas.caseStudy("AML.CS0000")          // Case study detail
api.atlas.caseStudySearch({keyword: "GPT", limit: 10})

v1.4.0 note: server param renamed from qkeyword. q is still accepted as a back-compat alias on techniqueSearch and caseStudySearch, but passing both at once throws. Prefer keyword.

MITRE D3FEND (Defense Technique Catalog)

api.d3fend.defense("CertificatePinning")           // Defense technique detail
api.d3fend.defenseSearch({keyword: "encryption", tactic: "Harden", limit: 20})
api.d3fend.defenseForAttack("T1059", {include: "full"})  // v1.4.0: include + exclude_id supported
api.d3fend.coverage(["T1059", "T1078", "T1190"])   // Batch coverage analysis

v1.4.0 note: kind parameter dropped from defenseSearch (server doesn't accept it — silently ignored before, removed for clarity). defenseForAttack now accepts an optional { include, exclude_id } second argument.

Threat Intelligence

api.ioc.lookup("evil.com")                 // IOC enrichment (auto-detect type)
api.ioc.hash("abc123...")                  // Malware hash lookup
api.ioc.phishing("https://evil.com/login") // Phishing check
api.ioc.bulk(["8.8.8.8", "evil.com"])      // Bulk IOC lookup — N credits

Email & Phone & Username

api.email.mx("example.com")                // MX + SPF/DMARC/DKIM
api.email.disposable("[email protected]")  // Disposable email check
api.email.securityPosture("example.com")   // v1.5.0: SPF/DMARC/DKIM posture + score
api.email.securityPosture("example.com", {selectors: "s1,s2"}) // custom DKIM selectors
api.email.verify("[email protected]")       // v1.5.0: deliverability / mailbox verify
api.phone.lookup("+1234567890")            // Phone validation
api.username.lookup("octocat")             // v1.4.0: cross-platform username lookup

Password

api.password.check("5baa61e4...")          // HIBP breach check (SHA1)

Wayback Archive (v1.4.0)

api.domain.wayback("example.com")          // CDX snapshot history

Sigma Detection Rules (v1.5.0)

api.sigma.lookup("5013636e-7f4c-...")      // Sigma rule by UUID
api.sigma.bulk(["uuid1", "uuid2"])         // Bulk lookup (≤50 rule IDs)

Code Security

api.check.secrets(code, "python")          // Detect hardcoded secrets
api.check.injection(code, "javascript")    // SQL/command injection
api.check.headers({"Content-Security-Policy": "..."})  // Header validation
api.check.dependencies([{name: "lodash", version: "4.17.0"}])  // CVE check
api.scan.headers("example.com")            // Live header scan

Meta

api.status()                               // API health
api.usage()                                // Usage stats (Pro)

Error Handling

try {
  const result = await api.cve.lookup("CVE-9999-0000");
} catch (err) {
  console.log(err.status);    // 404
  console.log(err.message);   // "CVE not found"
}

TypeScript

Full typings ship in index.d.ts. As of v1.4.0 every namespace method declares a concrete return type (e.g. Promise<CveResponse> instead of Promise<any>), so IDEs autocomplete on response keys and TypeScript catches typos at compile time.

import ContrastAPI, { CveResponse, AuditResponse } from "contrastapi";

const api = ContrastAPI();
const cve: CveResponse = await api.cve.lookup("CVE-2021-44228");
console.log(cve.kev?.in_kev);   // boolean | undefined

License

MIT