scan-mal

Scan JS/TS code for suspicious remote imports and network interactions (potential malware indicators).

Install

npm install -g scan-mal

Usage

scan-mal [path|glob] [--json] [--ext=js,ts,jsx,tsx] [--allow-domain=domain1,domain2]

# examples
scan-mal ./src
scan-mal "**/*.js" --json
scan-mal ./src --ext=js,ts --allow-domain=yourdomain.com,cdn.yourdomain.com

Defaults:

• Path: current directory
• Extensions: js, jsx, ts, tsx, mjs, cjs
• Colors: enabled (set NO_COLOR=1 to disable)

Exit codes:

• 0: no suspicious findings
• 1: at least one finding (any severity)
• 2: CLI usage error

What it detects

• Remote code loading
  • import/require/dynamic import() from URLs
• Network exfil APIs
  • fetch, axios, XMLHttpRequest, WebSocket, navigator.sendBeacon
• DOM/script injection patterns
  • document.createElement('script'|'img'|'iframe')
  • element.setAttribute('src'|'href'|'action', 'http(s)://...')
  • element.src|href|action = 'http(s)://...'
  • document.write('<script src=...>')
• Obfuscation/risky evaluation
  • eval(...), new Function(...)
  • atob(...) or Buffer.from(..., 'base64') combined with eval/Function
• Inline remote URLs (heuristic string scan)

Severity model:

• Scheme-based: http/ws = HIGH, https/wss = MEDIUM
• Inline/heuristics are typically LOW

Allowlist:

• Use --allow-domain=domain1,domain2 to skip known-safe hosts (match exact host or subdomains).

Output

Pretty (default): grouped by file, colored severities, line:column, with details.

JSON (--json):

{
  "issues": [
    {
      "kind": "network-fetch",
      "severity": "high",
      "detail": "fetch to http://bad.site/api",
      "location": { "file": "/abs/path/file.js", "line": 10, "column": 3 }
    }
  ]
}

Notes

• Scanner stays within the provided path/glob, ignores node_modules, .git, common build dirs, and does not follow symlinks.
• Parsing is AST-based for accuracy; inline URL scan is heuristic and may include false positives.

Install from npm:

npm install -g scan-mal