Coverage npm

npm `registry.npmjs.org`

JavaScript / Node.js. Largest registry by package count and the most common supply-chain attack target; the scanner covers preinstall hooks, install-time remote payloads, lifecycle-diff vs prior release, and known-IOC filename matching.

Packages scanned

483,634

High risk

4,569

Review

53,806

High-severity findings

33,483

Last scan

28s ago

Install-time attack surface

preinstall / install / postinstall scripts in package.json — run as part of `npm install`

Supported lockfile formats

package-lock.json
npm-shrinkwrap.json
pnpm-lock.yaml
yarn.lock

Spec format

pkgradar gate --ecosystem npm [email protected]

Recent activity

The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for npm is on the roadmap — the stats above are filtered to this ecosystem in the meantime.

Other ecosystems