npm supply chain protection
Know what your dependencies are doing.
dep-trust scans your npm dependency tree for supply chain attack indicators — freshly published packages, typosquatting, obfuscated code payloads, malicious install scripts, and missing SLSA provenance.
100% Free forever. No credit card.
The problem
npm audit checks for CVEs. It doesn't check for hijacked packages.
Supply chain attacks work by publishing compromised versions of popular packages. The attacker gains access to a maintainer account, pushes a malicious patch, and every downstream project that installs or updates inherits the payload. The attack window is typically hours — not days.
dep-trust fills the gap. It flags freshly published dependencies, detects typosquatted packages, deep-scans source code for obfuscated payloads, validates SLSA provenance, and tracks maintainer changes—all before malicious code reaches production.
How it works
Six checks. One command.
Freshness Check
Queries the npm registry for publish timestamps. Flags any dependency whose latest version was pushed within the last 72 hours — the primary attack window.
Maintainer Changes
Diffs dependency maintainers against a baseline snapshot. Automatically flags when an unknown maintainer publishes a patch.
Typosquatting
Compares trees against a corpus of 2,500+ popular npm packages using an optimized Levenshtein algorithm.
Deep Static Analysis
Runs static analysis on suspicious dependencies, looking for obfuscated payloads, credential harvesting, dynamic execution (eval), and hidden HTTP requests.
Install Scripts
Scans node_modules for preinstall & postinstall hooks. New scripts are instantly highlighted.
SLSA Provenance Validation
Checks the npm registry for signed attestations, warning you when a flagged package lacks a verifiable build provenance.
Get started
One install. Zero configuration.
Install
npm install -g dep-trust
Usage
dep-trust scan dep-trust scan --deep dep-trust scan --sbom dep-trust snapshot