npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

supply-chain-attack

v0.1.10

Published

Scan local package-manager state for known supply-chain attack indicators.

Downloads

2,948

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

awesome31awesome31

Keywords

securitysupply-chainmalwarenpmpypiscanner

Readme

supply-chain-attack

Scan local package-manager state for packages and files associated with known supply-chain attacks.

npx supply-chain-attack

The scanner runs offline against an embedded advisory snapshot and checks global installs, temporary npx installs, npm/pnpm/Yarn/Bun caches or stores, and Python user/pipx environments when present. It also flags npm packages whose postinstall script performs network-fetch behavior (curl, wget, JavaScript fetch, or Node http/https requests), including when postinstall points at a local install file that performs the fetch.

Output

The default report is compact and terminal-friendly. It highlights the verdict, the latest tracked attacks, affected packages found locally, packages with postinstall network-fetch behavior, and scan scope. Colors use a muted minimalist palette and can be disabled with NO_COLOR=1 or --no-color.

Verdict: Potential supply-chain exposure detected — 4 package hits

LATEST ATTACK
Mini Shai-Hulud expansion into AI/devtool ecosystem packages (2026-05-12)
Affected: 3 packages
Libraries you had:
- npm [email protected] (pnpm store)

scan 5 store(s), 4724 package/version pair(s), snapshot 2026-05-12

Interactive terminals include a small menu for context and remediation prompts:

options  l learn  a actions  q quit  ›

Usage

npx supply-chain-attack
npx supply-chain-attack --json
npx supply-chain-attack --list-advisories
npx supply-chain-attack --no-interactive
npx supply-chain-attack --no-color

By default, the command exits non-zero when findings are detected. Use --fail-on none to always exit 0 unless there is a usage or runtime error.

Coverage

Snapshot: 2026-05-12
Tracked artifacts: 438 package/version entries

Local sources include:

  • npm global packages, cache records, and _npx installs
  • pnpm global packages and content-addressed store manifests
  • Yarn and Bun global/cache entries
  • Python user site-packages and pipx virtual environments
  • Selected suspicious home-directory files matching known campaign indicators

Exit Codes

  • 0: no findings, or --fail-on none
  • 1: findings detected
  • 2: usage or runtime error

Privacy

No discovered package names, versions, paths, or files are sent to a remote service. The default scan uses only the embedded offline snapshot.

Interpreting Findings

A cache/store hit means the package was present on this machine. A global or npx hit is stronger evidence that package code may have been installed or executed.

If you get a hit, treat the machine as potentially exposed: remove affected installs, clear relevant caches, inspect dependent projects, rotate exposed credentials, and check for persistence or workflow changes.

Limitations

This is a detection aid, not a complete incident-response platform. A clean result does not prove the machine is malware-free, and the embedded advisory snapshot is necessarily dated.

Development

npm test
npm run check
node bin/supply-chain-attack.js

The package has no runtime npm dependencies and requires Node.js 18 or newer.

Research

Source notes are maintained in RESEARCH.md.

License

MIT