npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

expecto-security

v0.1.17

Published

Supply-chain firewall for AI coding tools

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

firaskhalifafiraskhalifa

Keywords

securitysupply-chainmcpnpmai

Readme

expecto-security

Real-time supply-chain protection for AI coding tools.

Before any npm install or pip install runs — whether you typed it or your AI agent did — Expecto checks the package against a global verdict cache built from real sandbox detonations. Malicious packages are blocked before a single file is written to your machine.

npx expecto-security init

One command. Works in Claude Code, Cursor, and your terminal.

What it does

  • Blocks malicious packages at install time — not after they've run
  • Intercepts AI-generated installs — hooks into Claude Code and Cursor before they execute npm install / pip install
  • Protects your terminal too — optional shell shims wrap npm, pip, yarn, and pnpm
  • Shows a safe alternative — when a package is blocked, Expecto suggests a clean replacement
🧙 Expecto — 🚨 Package install blocked!

  ❌ [email protected]
  🔍 reason: post-install script exfiltrates ~/.npm/credentials
  📋 rules: R2b, R1
  ✅ safe alternative: [email protected]

Quick start

npx expecto-security init

That's it. Run this once in your project and every install — AI-generated or manual — is checked before it runs.

If you have an API key:

npx expecto-security init --api-key YOUR_KEY

What gets installed

expecto init writes five things into your project:

| What | Where | Does | |---|---|---| | Security hook | .claude/hooks/pre_tool_use.py | Intercepts every install in Claude Code | | Claude Code config | .claude/settings.json | Registers the hook | | MCP server | .mcp.json | Lets Claude Code / Cursor call check_package as a tool | | Cursor rule | .cursor/rules | Tells Cursor to check packages before suggesting installs | | Context block | CLAUDE.md | Guides the AI to prefer clean packages |

Shell shims (optional, prompted during init) go to ~/.expecto/bin/ and intercept terminal installs.

Package managers covered

npm install · npm add · npm ci · npx · yarn add · yarn install · pnpm add · pnpm install · pip install · pip3 install · python -m pip install · uv pip install · pipx install

Manifest installs too — bare npm install reads your package.json; pip install -r requirements.txt reads the file.

Commands

npx expecto-security init          # set up in current project
npx expecto-security login         # save your API key
npx expecto-security check lodash  # manually check a package
npx expecto-security update        # update the hook to the latest version

After init, the expecto command is available directly:

expecto check express --version 4.18.2
expecto check requests --ecosystem pypi

API key

Expecto works without an API key on the free tier (rate-limited). To get a key, run expecto login or pass --api-key to expecto init.

The key is stored in your OS keychain and ~/.expecto/api_key — never in your project files.

How it works

Every check hits a global verdict cache shared across all users. The first person in the world to check a package pays the sandbox detonation cost (~60 seconds). Every subsequent check returns from cache in ~30 ms. The more developers use Expecto, the faster and more complete the cache gets.

Verdicts come from:

  • Metadata heuristics — typosquatting, combosquatting, brandjacking
  • OSV advisory database — known malicious packages
  • Behavioral sandbox — Docker + strace detonation, 12 detection rules including credential reads, network exfiltration, obfuscation, and canary credential access

Requirements

  • Node.js 16+ (for npx expecto-security)
  • Python 3.9+ (installed automatically on first run if missing from pip)
  • Claude Code, Cursor, or any terminal — at least one of the three