Monitors newly published npm package versions and flags publishes that introduce a preinstall or postinstall script. These lifecycle scripts can pose security risks, as they execute automatically during package installation and may be introduced in updates without users noticing.
The tool uses npm's replicate database (replicate.npmjs.com) to track changes, then fetches full package metadata from the registry to compare scripts between versions.
Malicious packages are screened and reported by myself. This project has led to the following results between January 18th and January 20th, 2026:
- 24 packages have been reported
- 24 packages has been removed
Including at least 6 instances of live malware:
Daniel Lockyer hi@daniellockyer.com
This project is licensed under the MIT License - see the LICENSE file for details.