PackageScanner Guide

How to scan in the browser, connect editors through MCP, run the official GitHub Action in CI, and use agent skills.

PackageScanner scans npm dependencies for known malware, OSV vulnerabilities, and helpful npm metadata signals so you can see supply-chain risk in one place.

Upload package.json and/or a lockfile to analyze the full dependency tree
Search a package name to check malware history and vulnerability signals
Use the same analysis engine from MCP or the official GitHub Action

Using the web app

Upload project files

Send your manifest and lockfile to run a scan.

Supports package.json and lockfiles for npm, pnpm, yarn, and bun
Uploading both improves direct-dependency context and exact resolved versions
Optionally enable npm metadata checks (publish date and license signals)

Go to upload

Search a package

Check a published package in isolation.

Malware database lookup and OSV vulnerability matching
Registry metadata signals for package health

Go to package search

Analysis report

After an upload scan you get a shareable report page.

Review malware, vulnerability, and metadata findings in one view
Optionally create a share link (sharing cannot be undone)

For editor integration, CI, and agent skills, open MCP, GitHub Actions, or Skill in the sidebar.