npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

xploitscan

v1.0.2

Published

AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

bgage725bgage725

Keywords

securityscannervibe-codingaivulnerabilityowaspappsecsastcursorlovableboltreplitclaudeai-codedevsecops

Readme

XploitScan

npm version License: MIT

Security scanner for AI-generated code. Find vulnerabilities before attackers do.

Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 131 security rules. Plain-English results. Copy-paste fixes.

Quick Start

npx xploitscan scan .

No install, no config, no account required. Your code stays 100% local.

What It Catches

131 rules across 15+ categories:

| Category | Examples | Rules | |----------|---------|-------| | Secrets | Hardcoded API keys, .env files, OAuth secrets, Terraform state | 15+ | | Injection | SQL, XSS, SSRF, command injection, path traversal, XXE, SSTI | 20+ | | Authentication | Missing auth, weak JWT, insecure password reset, OAuth flaws | 15+ | | Cryptography | Weak RSA, deprecated TLS, ECB mode, hardcoded IVs | 10+ | | Infrastructure | Dockerfile, Kubernetes, Terraform, AWS IAM misconfigs | 10+ | | Supply Chain | Unpinned GitHub Actions, vulnerable dependencies | 5+ | | Information Leakage | PII in logs, unencrypted DB fields, exposed admin routes | 10+ | | Code Quality | Console.log in production, empty catch blocks, TODO/FIXME | 10+ |

Every finding includes OWASP Top 10 and CWE compliance mappings.

Installation

# Run directly (recommended — always latest version)
npx xploitscan scan .

# Or install globally
npm install -g xploitscan
xploitscan scan .

Usage

# Scan current directory
npx xploitscan scan .

# Scan a specific folder
npx xploitscan scan ./src

# JSON output (for scripting/CI)
npx xploitscan scan . --format json

# SARIF output (for GitHub Security tab)
npx xploitscan scan . --format sarif

# Scan only changed files vs main branch
npx xploitscan scan . --diff

# Watch mode — re-scan on file changes
npx xploitscan scan . --watch

Output Formats

| Format | Use Case | |--------|----------| | text | Human-readable terminal output (default) | | json | Machine-readable JSON with all findings | | sarif | GitHub Security tab integration |

GitHub Action

Add automated scanning to every PR:

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run XploitScan
        uses: bgage72590/xploitscan@main
        with:
          path: '.'
          format: 'sarif'
          fail-on: 'critical'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: xploitscan-results.sarif

Findings appear in the GitHub Security tab as code scanning alerts.

Configuration

Create a .xploitscanrc file in your project root:

{
  "rules": {
    "include": ["VC001-VC131"],
    "exclude": ["VC042"]
  },
  "format": "json",
  "fail-on": "high",
  "ignore": ["node_modules", "dist", ".git"]
}

Web Dashboard

Scan via the web at xploitscan.com:

  • Drag-and-drop file/ZIP upload
  • GitHub URL scanning
  • Scan history and score trends
  • PDF security reports
  • SOC2/ISO27001 compliance mapping
  • Slack and Discord webhook notifications

Free: 5 scans/day, 30 core rules. Pro ($29/mo): unlimited scans, all 131 rules, and all dashboard features. Team ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.

Supported Languages

JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and configuration files (Dockerfile, Terraform, Kubernetes, GitHub Actions, .env).

Links

License

MIT -- Cipherline LLC