npm supply chain protection

Know what your dependencies are doing.

dep-trust scans your npm dependency tree for supply chain attack indicators — freshly published packages, typosquatting, obfuscated code payloads, malicious install scripts, and missing SLSA provenance.

100% Free forever. No credit card.

$ dep-trust scan
dep-trust v0.1.0
scanning 142 packages...
FRESHNESS
lodash 4.17.22 published 6h ago
axios 1.7.4 published 18h ago
express 4.18.2 published 43d ago
INSTALL SCRIPTS
esbuild NEW has postinstall script
~ node-gyp SEEN has install script
LOCKFILE DIFF
+ added: semver@7.6.3
bumped: typescript 5.4.2 → 5.5.0
SUMMARY 2 freshness flags 1 new install script 2 lockfile changes

The problem

npm audit checks for CVEs. It doesn't check for hijacked packages.

Supply chain attacks work by publishing compromised versions of popular packages. The attacker gains access to a maintainer account, pushes a malicious patch, and every downstream project that installs or updates inherits the payload. The attack window is typically hours — not days.

dep-trust fills the gap. It flags freshly published dependencies, detects typosquatted packages, deep-scans source code for obfuscated payloads, validates SLSA provenance, and tracks maintainer changes—all before malicious code reaches production.

How it works

Six checks. One command.

01

Freshness Check

Queries the npm registry for publish timestamps. Flags any dependency whose latest version was pushed within the last 72 hours — the primary attack window.

02

Maintainer Changes

Diffs dependency maintainers against a baseline snapshot. Automatically flags when an unknown maintainer publishes a patch.

03

Typosquatting

Compares trees against a corpus of 2,500+ popular npm packages using an optimized Levenshtein algorithm.

04

Deep Static Analysis

Runs static analysis on suspicious dependencies, looking for obfuscated payloads, credential harvesting, dynamic execution (eval), and hidden HTTP requests.

05

Install Scripts

Scans node_modules for preinstall & postinstall hooks. New scripts are instantly highlighted.

06

SLSA Provenance Validation

Checks the npm registry for signed attestations, warning you when a flagged package lacks a verifiable build provenance.

Get started

One install. Zero configuration.

Install

npm install -g dep-trust

Usage

dep-trust scan
dep-trust scan --deep
dep-trust scan --sbom
dep-trust snapshot