I Built a Zero-Dependency Supply-Chain Security Scanner for Node.js — 18 Checks, One Command
The npm install trust problem When you run npm install , you're trusting hundreds of strangers to not run malicious code on your machine. And that trust has been broken — repeatedly. Packages like event-stream , ua-parser-js , and coa were hijacked to steal credentials, install backdoors, and exfiltrate data through postinstall scripts. By the time npm install finishes, the damage is already done. The traditional answer? npm audit . But that only catches known CVEs . It completely misses: Typosquatted packages hiding in your lockfile Dropper packages that curl | sh in postinstall Tampered package.json files swapped after install C2 domains hardcoded in dependencies Stolen npm tokens used to publish without CI/CD provenance I needed something better. So I built it. Meet sec-check — one comm
The npm install trust problem
When you run npm install, you're trusting hundreds of strangers to not run malicious code on your machine. And that trust has been broken — repeatedly.
Packages like event-stream, ua-parser-js, and coa were hijacked to steal credentials, install backdoors, and exfiltrate data through postinstall scripts. By the time npm install finishes, the damage is already done.
The traditional answer? npm audit. But that only catches known CVEs. It completely misses:
-
Typosquatted packages hiding in your lockfile
-
Dropper packages that curl | sh in postinstall
-
Tampered package.json files swapped after install
-
C2 domains hardcoded in dependencies
-
Stolen npm tokens used to publish without CI/CD provenance
I needed something better. So I built it.
Meet sec-check — one command, 18 security checks, zero dependencies
npx @sathyendra/security-checker
Enter fullscreen mode
Exit fullscreen mode
That's the entire setup. No config files, no API keys, no build step. It scans your project and tells you what's wrong:
────────────────────────────────────────────────────────────────────── @sathyendra/security-checker — Diagnostic Report ────────────────────────────────────────────────────────────────────── 🚨 CRITICAL: plain-crypto-js detected in node_modules [FIXABLE] 🚨 LOCKFILE: flatmap-stream found in dependency tree [FIXABLE] 🚨 DROPPER: suspicious-pkg has postinstall with curl | sh [MANUAL] ⚠️ PROVENANCE: "[email protected]" — Manual Publish Detected [MANUAL] ⚠️ OUTDATED: [email protected] — 2 major versions behind [MANUAL] ────────────────────────────────────────────────────────────────────── 5 threat(s) found | 2 fixable | 3 require manual review Run with --fix to auto-remediate fixable threats. ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── @sathyendra/security-checker — Diagnostic Report ────────────────────────────────────────────────────────────────────── 🚨 CRITICAL: plain-crypto-js detected in node_modules [FIXABLE] 🚨 LOCKFILE: flatmap-stream found in dependency tree [FIXABLE] 🚨 DROPPER: suspicious-pkg has postinstall with curl | sh [MANUAL] ⚠️ PROVENANCE: "[email protected]" — Manual Publish Detected [MANUAL] ⚠️ OUTDATED: [email protected] — 2 major versions behind [MANUAL] ────────────────────────────────────────────────────────────────────── 5 threat(s) found | 2 fixable | 3 require manual review Run with --fix to auto-remediate fixable threats. ──────────────────────────────────────────────────────────────────────Enter fullscreen mode
Exit fullscreen mode
Why zero dependencies?
A security tool that pulls in 200 transitive dependencies is an oxymoron. Every dependency is attack surface. sec-check uses only Node.js built-ins (fs, path, crypto, child_process, os, https) — nothing from npm. The tool that checks your supply chain has no supply chain of its own.
What does it actually check?
Here's the full list of 18 detection modules:
Check What it catches
1
Malicious packages
Known bad packages (e.g. plain-crypto-js) in node_modules
2 npm audit High/critical CVEs
3 Deep lockfile audit Malicious packages buried in the full dependency tree
4
Dropper detection
Packages with postinstall scripts but no real code — the "install-and-run" pattern
5 Integrity checksums Post-install tampering (hash mismatch vs lockfile and registry)
6 Decoy swap detection
package.md, .bak artifacts — the exact trick used in the Axios attack
7 TeamPCP / WAVESHAPER RAT artifacts, persistence mechanisms across Windows/macOS/Linux
8 C2 domains Known command-and-control domains in your hosts file
9 Cross-ecosystem (PyPI) Malicious PyPI packages from the same campaigns
10
Python stager detection
Suspicious .py files with backdoor patterns in Node.js projects
11 Malicious .pth files Python's "importless execution" technique in site-packages
12 Provenance verification Popular packages published without CI/CD provenance (stolen token indicator)
13 Shadow execution
LD_PRELOAD, DYLD_INSERT_LIBRARIES, NODE_OPTIONS --require hijacking
14 Outdated dependencies Major version drift = no security patches
15 Registry configuration Dependency Confusion via non-official or HTTP registries
16
Lifecycle script injection
curl
17 Dependency script sandboxing Same analysis on every dependency's lifecycle scripts
18
Secrets detection
{% raw %}.env files, hardcoded NPM_TOKEN, AWS keys, GitHub tokens, PEM keys
Plus bonus checks: npm doctor, lockfile enforcement, SSRF/C2 blocklist scan, environment variable audit, and Lockfile Sentinel (hash comparison against known-compromised database).
The killer feature: Zero Trust Shield
Instead of the traditional "install and hope" workflow, Shield gives you defense-in-depth:
sec-check --shield
Enter fullscreen mode
Exit fullscreen mode
▸ Stage 1: Pre-flight — scan lockfile & config BEFORE downloading anything ▸ Stage 2: Isolated Install — npm install --ignore-scripts (no code execution) ▸ Stage 3: Post-vetting — full integrity & security scan on downloaded files▸ Stage 1: Pre-flight — scan lockfile & config BEFORE downloading anything ▸ Stage 2: Isolated Install — npm install --ignore-scripts (no code execution) ▸ Stage 3: Post-vetting — full integrity & security scan on downloaded filesEnter fullscreen mode
Exit fullscreen mode
This is the workflow that would have caught every major npm supply-chain attack. The malicious postinstall never runs because Stage 2 uses --ignore-scripts, and Stage 3 catches any artifacts before you run your code.
OWASP Top 10 mapping
Three Shield features map directly to OWASP risk categories, so you can reference them in compliance conversations:
OWASP Risk Feature What it does
A03: Injection Script Blocker Flags dangerous commands in lifecycle hooks before execution
A05: Misconfiguration
Registry Guard
Rejects non-official or HTTP registries across .npmrc, env, and lockfile
A08: Integrity Failures Lockfile Sentinel Compares lockfile hashes against known-compromised database
CI/CD integration in 30 seconds
Add one line to your GitHub Actions workflow:
- name: Security scan run: npx @sathyendra/security-checker- name: Security scan run: npx @sathyendra/security-checkerEnter fullscreen mode
Exit fullscreen mode
Exit code 1 = threats found = pipeline fails. That's it.
For structured output (dashboards, artifact collection):
sec-check --json > scan-results.json
Enter fullscreen mode
Exit fullscreen mode
For compliance artifacts:
sec-check --vex-out # CycloneDX VEX document sec-check --sbom # CycloneDX SBOMsec-check --vex-out # CycloneDX VEX document sec-check --sbom # CycloneDX SBOMEnter fullscreen mode
Exit fullscreen mode
Auto-fix what can be fixed
Not into manual cleanup? The --fix flag handles the boring stuff:
sec-check --fix
Enter fullscreen mode
Exit fullscreen mode
Threat
What --fix does
Malicious packages
npm uninstall
Audit vulnerabilities
npm audit fix
Integrity mismatches
npm ci (clean reinstall)
Swap artifacts Deletes the artifact file
Threats that need human judgment (provenance issues, C2 indicators, system artifacts) stay as [MANUAL] — the tool never makes destructive decisions for you.
Quick start
# One-shot scan (no install needed) npx @sathyendra/security-checker# One-shot scan (no install needed) npx @sathyendra/security-checkerInstall as dev dependency
npm install --save-dev @sathyendra/security-checker
Auto-fix fixable threats
sec-check --fix
Protect every future install
sec-check --init
Full Zero Trust workflow
sec-check --shield`
Enter fullscreen mode
Exit fullscreen mode
Try it now
The best way to evaluate it is to point it at your own project:
cd your-project npx @sathyendra/security-checkercd your-project npx @sathyendra/security-checkerEnter fullscreen mode
Exit fullscreen mode
If it finds something, that's a good thing — you just caught it before an attacker exploited it.
Links:
-
📦 npm: @sathyendra/security-checker
-
🔗 GitHub: sathyendrav/security-checker
-
📄 Full README with all 18 checks explained
If this is useful, a ⭐ on GitHub or an npm i helps more than you'd think. Questions, feature requests, or "it flagged something weird" — open an issue, I read all of them.
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
versionfeatureintegration
I Built Consistent Hashing From Scratch in Go — Here's What I Learned
If you've ever added a server to a cache cluster and watched your database melt, you already know the problem consistent hashing solves. You just might not know it by name. I built a full implementation from scratch in Go to understand it deeply. This post walks through what I learned — the problem, the fix, and the gotchas nobody tells you about. The five-minute version You have 5 cache servers. You route keys with hash(key) % 5 . Life is good. Then traffic spikes and you add a 6th server. Now it's hash(key) % 6 . Sounds harmless, right? Here's what actually happens: Before: hash("user:1001") % 5 = 3 → Server C After: hash("user:1001") % 6 = 1 → Server A ← moved! That key was sitting happily on Server C. Now every client thinks it's on Server A, where it doesn't exist. Cache miss. The req
Multi-Stage Continuous Delivery
Multi-Stage Continuous Delivery - Speaker Deck speakerdeck.com El problema con los pipelines tradicionales El concepto de Multi-Stage CD es sencillo: llevas código a prod en varias iteraciones y a través de diferentes ambientes — dev, staging, prod — con fases bien definidas: build, prepare, deploy, test, notify, rollback. Suena limpio. Y en papel, lo es. El problema es la realidad. Según el State of DevOps Report 2020, el 95% del tiempo se va en mantenimiento de pipelines, el 80% en tareas manuales, y el 90% en remediación también manual. Nadie escribe esas métricas en su README, pero todos las vivimos. Los retos concretos son tres y son los de siempre: la disponibilidad de ambientes (el clásico "no le muevan a dev que estoy probando algo" ), satisfacer dependencias externas correctamente
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Products
From MOUs to Markets: Transatlantic Deals Face Reality Test
Why transatlantic execution, not transatlantic symbolism, now matters to the electronics and semiconductor supply chain. The post From MOUs to Markets: Transatlantic Deals Face Reality Test appeared first on EE Times . ]]>
RLDatix's Connected Healthcare Summit Draws 400+ Health System Leaders as Company Advances AI-Powered Patient Safety and Provider Performance Solutions - PR Newswire
RLDatix's Connected Healthcare Summit Draws 400+ Health System Leaders as Company Advances AI-Powered Patient Safety and Provider Performance Solutions PR Newswire
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!