npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ghostcheck

v0.1.0

Published

AI code vulnerability scanner — catches hallucinated packages, phantom APIs, and insecure patterns before you commit. Zero-config, offline, under 2 seconds.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sage47sage47

Keywords

aicode-verificationstatic-analysislintersecurityhallucination-detectionphantom-apicopilotsastvulnerability-scannerdeveloper-toolsclitypescripteslintsemgrep

Readme

Hallucinated packages. Phantom APIs. Insecure patterns. All caught before you commit — offline, zero-config, under 2 seconds.

Quick Start

npx ghostcheck

That's it. No signup, no API keys, no config files.

What It Catches

$ npx ghostcheck

  src/lib/api.ts
    3:1  error  Package 'supabase-realtime-helpers' does not exist on npm
                Did you mean: @supabase/realtime-js                    [hallucinated-import]

    8:5  warn   fs.readFilePromise() does not exist
                Use fs.promises.readFile instead                       [phantom-api]

  src/utils/auth.ts
   14:5  error  Hardcoded API key detected (sk-proj-...)
                Move to process.env.OPENAI_API_KEY                     [unsafe-pattern]

  src/db/queries.ts
    9:3  warn   SQL string concatenation with user input
                Use parameterized queries instead                      [unsafe-pattern]

  4 files scanned in 0.8s
  2 errors  2 warnings

The 3 Rules

| Rule | What it catches | How | |---|---|---| | hallucinated-import | npm packages your AI invented that don't exist | Cross-references imports against npm registry + typo detection | | phantom-api | Methods that don't exist on real libraries (fs.readFilePromise, JSON.tryParse) | Pattern database of ~50 common AI hallucinations | | unsafe-pattern | eval, innerHTML, SQL concat, hardcoded secrets, disabled TLS | Regex + AST matching with low false-positive tuning |

Why This Exists

ESLint checks style. Semgrep checks patterns. Snyk checks CVEs.

Nobody checks whether the packages your AI invented actually exist. 66% of developers report bugs from AI-generated code that "looks right" but doesn't work. These aren't style issues — they're phantom APIs, hallucinated dependencies, and security patterns memorized from training data.

ghostcheck catches this entire category.

Install

npx ghostcheck              # zero-install, always latest
npm install -g ghostcheck    # global
npm install -D ghostcheck    # per-project

Usage

ghostcheck check .                    # scan current directory
ghostcheck check src/ --format json   # JSON output for CI
ghostcheck check --staged             # only git-staged files
ghostcheck hook install               # git pre-commit hook
ghostcheck ci                         # CI mode (SARIF + annotations)

CI/CD

# .github/workflows/ghostcheck.yml
name: ghostcheck
on: [push, pull_request]
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx ghostcheck ci

Config

Zero-config by default. Customize with .ghostcheckrc:

{
  "rules": {
    "hallucinated-import": "error",
    "phantom-api": "warn",
    "unsafe-pattern": "error"
  },
  "ignore": ["tests/", "vendor/"],
  "failOn": "error"
}

How It Works

  ghostcheck check .
        │
        ▼
  ┌─────────────┐     ┌──────────────┐     ┌─────────────┐
  │ File         │     │ AST Parse    │     │ Rule Engine  │
  │ Discovery    │────▶│ (SWC/regex)  │────▶│ (3 rules)   │
  │ .gitignore   │     │ Extract      │     │ Check each   │
  │ aware        │     │ imports +    │     │ finding vs   │
  │              │     │ API calls    │     │ registry +   │
  └─────────────┘     └──────────────┘     │ patterns     │
                                           └──────┬──────┘
                                                  │
                                           ┌──────▼──────┐
                                           │ Output      │
                                           │ Pretty/JSON │
                                           │ SARIF/JUnit │
                                           └─────────────┘

Offline-first. Parallel file processing. Content-hash caching (second run is instant).

Contributing

git clone https://github.com/sagarmk/ghostcheck.git
cd ghostcheck
npm install && npm test

See CONTRIBUTING.md for details.

License

MIT