PkgRadar

Coverage npm

npm registry.npmjs.org

JavaScript / Node.js. Largest registry by package count and the most common supply-chain attack target; the scanner covers preinstall hooks, install-time remote payloads, lifecycle-diff vs prior release, and known-IOC filename matching.

Packages scanned

3.4M

High risk

40,242

Review

323.4K

High-severity findings

196.2K

Last scan

9m ago

Install-time attack surface

preinstall / install / postinstall scripts in package.json — run as part of `npm install`

Supported lockfile formats

Spec format

pkgradar gate --ecosystem npm [email protected]

Recent activity

The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for npm is on the roadmap — the stats above are filtered to this ecosystem in the meantime.

Other ecosystems