Package Scanner

Scan npm packages for known vulnerabilities

Detect known malware, known vulnerabilities, and suspicious metadata signals in your npm dependencies — all in one scan

package-scanner

$ scanning 847 dependencies...

✓ Malware database checked

✓ OSV vulnerabilities queried

✓ Metadata signals analyzed

No known threats detected

Supports package.json and lockfiles

Read dependencies from package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock, and package.json.

Separates direct and transitive dependencies

See what your project declared directly and what was pulled in transitively, so review scope is easier to follow.

Shareable analysis reports

Collect findings, affected versions, and metadata warnings in a report your team can review together.

What it checks

Why Choose PackageScanner?

PackageScanner separates known attack packages, published high-risk vulnerabilities, and metadata signals that deserve review. Results are meant as a practical starting point for dependency review, not a guarantee.

Malware Detection

Instantly identify known malicious packages in your direct and transitive dependencies using a comprehensive threat database

Vulnerability Scan

Check every dependency against the OSV database for published CVEs and security advisories, with severity and fix version info

Metadata Risk

Surface suspicious indicators — stale or brand-new releases, missing licenses, and possible typosquatting — so you can review before shipping

Workflow

Start a dependency inventory in minutes

Use it for a local check before wiring CI, for reviewing dependency changes, or for taking inventory of an existing project. Guides are also available for MCP, GitHub Actions, and Skill-based usage.

Upload project files

Choose package.json or a lockfile. Using both improves dependency classification and exact version analysis.

Parse dependencies

Extract package names, versions, dependency groups, and dependency paths from manifests and lockfiles.

Review the report

Check known malware matches, High and Critical known vulnerabilities, plus publish-date and license signals.

Use cases

A lightweight check for key moments in development

PackageScanner is not a full security audit. It is a review aid for spotting known dependency risks that are easy to miss in everyday development.

Before adding a new package

Check candidate packages and planned dependency additions for known malware and severe known vulnerabilities.

Before a release

Review locked versions and gather the information needed for a practical release decision.

At the start of an investigation

Surface suspicious names, licenses, and publish dates so follow-up review can be prioritized.

Signals shown in the report

Scan results do not guarantee safety, but they organize dependency review points in one place.

Matches against known malicious npm packages

High and Critical known vulnerabilities registered in OSV

Fixed versions and advisory references where available

Fresh or stale releases that may deserve extra review

Missing licenses, non-MIT licenses, and possible typosquatting

Transparent scope

Clear about what it can and cannot do

To avoid overstating results, PackageScanner makes its scope explicit. It helps with dependency review, but it does not replace expert auditing or runtime protection.

It does not detect unknown malware or unpublished vulnerabilities.

Metadata warnings are risk signals, not proof that a package is malicious.

Final decisions still require reviewing changelogs, maintainers, code, and real project usage.

Run a first dependency scan

Upload package.json or a lockfile to review known risks and dependencies that deserve a closer look. It is a lightweight entry point for local development and pre-release checks.