npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

typoguard

v1.0.0

Published

A CLI tool to detect typosquatting and dangerous scripts in dependencies

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ravvdevvravvdevv

Keywords

securitynpmtyposquatsupply-chaindependenciesaudit

Readme

TypoGuard

A security utility for identifying typosquatting, malicious install scripts, and suspicious package heuristics within the npm ecosystem.

Overview

TypoGuard is designed to provide a proactive layer of security for Node.js projects by scanning dependencies before and during installation. It focuses on identifying supply chain attacks that traditional vulnerability scanners (npm audit) often miss, such as brand-new malicious packages or compromised maintenance accounts.

Core Features

  • Typosquat Detection: Compares project dependencies against the top 100 most-downloaded npm packages to identify suspiciously similar names (e.g., experss vs express).
  • Install Script Analysis: Scans preinstall, postinstall, and install hooks for dangerous patterns including remote script execution (curl | sh), dynamic code evaluation (eval), and unauthorized system access.
  • Metadata Heuristics: Analyzes package age, maintainer count, and description quality to flag high-risk, newly created, or unmaintained dependencies.
  • CI/CD Integration: Provides structured JSON output and non-zero exit codes for automated security gates in build pipelines.

Installation

bun add -d typoguard
# or
npm install --save-dev typoguard

Usage

Project Scan

Scan all dependencies listed in package.json and analyze installed node_modules.

typoguard scan .

CI/CD Integration

Generate a machine-readable report for automated analysis.

typoguard scan . --json > typoguard-report.json

Preinstall Enforcement

Block installations if high-risk threats (typosquats or high-risk local scripts) are detected. Add this to your package.json:

{
  "scripts": {
    "preinstall": "typoguard preinstall"
  }
}

Detection Heuristics

Typosquatting

  • High Confidence: Distance 1 (e.g., lodash vs lodaash).
  • Medium Confidence: Distance 2 for strings longer than 4 characters (e.g., axios vs axois).

Dangerous Scripts

  • High Risk: Remote execution (curl, wget piped to sh), environment variable exfiltration (env |), or sensitive file access (/etc/passwd).
  • Medium Risk: Arbitrary code execution (node -e), binary permission changes (chmod +x), or direct shell execution.

Heuristics

  • New Packages: Dependencies created within the last 30 days.
  • Single Maintainers: Projects with only one authorized publisher.
  • Placeholder Metadata: Packages with extremely short descriptions or missing fields.

License

MIT LICENSE