PackageScanner Guide
How to scan in the browser, connect editors through MCP, run the official GitHub Action in CI, and use agent skills.
PackageScanner scans npm dependencies for known malware, OSV vulnerabilities, and helpful npm metadata signals so you can see supply-chain risk in one place.
- Upload package.json and/or a lockfile to analyze the full dependency tree
- Search a package name to check malware history and vulnerability signals
- Use the same analysis engine from MCP or the official GitHub Action
Using the web app
Upload project files
Send your manifest and lockfile to run a scan.
- Supports package.json and lockfiles for npm, pnpm, yarn, and bun
- Uploading both improves direct-dependency context and exact resolved versions
- Optionally enable npm metadata checks (publish date and license signals)
Search a package
Check a published package in isolation.
- Malware database lookup and OSV vulnerability matching
- Registry metadata signals for package health
Analysis report
After an upload scan you get a shareable report page.
- Review malware, vulnerability, and metadata findings in one view
- Optionally create a share link (sharing cannot be undone)
Security notes
Review these points before using PackageScanner through MCP, GitHub Actions, or Skill.
- Lockfile and package.json contents are sent to the PackageScanner API at https://www.package-scanner.dev.
- If your policy forbids sending private dependency contents to an external service, decide whether this is appropriate for your organization.
- The MCP endpoint and Skill are read-only and cannot modify your project files or system.
- Analysis is based on known malware databases and OSV, so results are not 100% comprehensive.
For editor integration, CI, and agent skills, open MCP, GitHub Actions, or Skill in the sidebar.