Package Exports
- @lateos/npm-scan
- @lateos/npm-scan/backend/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@lateos/npm-scan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
@lateos/npm-scan
Modern supply chain security for the npm ecosystem.
Static + behavioral analysis that catches what npm audit, Snyk, and Socket miss β obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation.
π The Problem
The 2025β2026 wave of npm supply chain attacks proved that traditional tooling is no longer enough.
Attackers have moved past simple typosquatting. They now ship obfuscated preinstall hooks, credential harvesters hidden behind environment detection, dormant backdoors with time-based activation, and worm-style transitive propagation that spreads through peer dependencies.
npm audit checks known CVEs. Snyk scans for vulnerabilities. Socket looks at package behavior. None of them were designed for the generation of attacks that emerged in 2025 β attacks that look benign until they reach production.
@lateos/npm-scan was built for this moment.
π¬ Why @lateos/npm-scan?
| Capability | npm audit | Snyk | Socket | @lateos/npm-scan |
|---|---|---|---|---|
| Known CVE matching | β | β | β | β |
| Static analysis | β | β | β | β |
| Obfuscated payload detection | β | β | β | β |
| Behavioral / heuristic analysis | β | β | Partial | β |
| Conditional trigger detection (ATK-009) | β | β | β | β |
| Sandbox evasion detection (ATK-010) | β | β | β | β |
| Transitive worm propagation (ATK-011) | β | β | β | β |
| Attack taxonomy (ATK series) | β | β | β | β |
| SBOM output (CycloneDX + SPDX) | β | β | β | β |
| NIST 800-161 compliance reporting | β | β | β | β |
| EU CRA compliance reporting | β | β | β | β |
| SIEM export (CEF / ECS / Sentinel / QRadar) | β | β | β | β |
| Runs entirely locally β no telemetry | β | β | β | β |
| Policy-as-code (YAML allowlists) | β | β | β | β |
Privacy first. All scanning happens on your machine. No code leaves your environment. No telemetry. No cloud dependency.
β¨ Key Features
| Icon | Feature | Description |
|---|---|---|
| π΅οΈ | Heuristic static analysis | AST-level inspection catches obfuscation, eval chains, env probing, and suspicious lifecycle scripts that regex-based tools miss |
| π§ | Behavioral detection | Identifies conditional triggers (time-based, CI-aware), sandbox evasion, and dormant activation patterns |
| 𧬠| ATK attack taxonomy | 11 classified attack types with NIST 800-161 mappings β versioned, documented, and PR-able |
| π¦ | SBOM generation | CycloneDX 1.5 and SPDX 2.3 with findings embedded as vulnerabilities |
| π§Ύ | Compliance reporting | NIST SP 800-161 traceability matrix + EU Cyber Resilience Act mapping (free tier) |
| π | SIEM export | Splunk CEF, Elastic ECS, Microsoft Sentinel, IBM QRadar formats (premium) |
| π | Policy-as-code | YAML/JSON policy engine with allowlists, severity overrides, suppressions, and fail-on thresholds |
| π³ | Docker + GitHub Action | Multi-arch images, one-command Compose pipeline, PR scan action |
| π‘οΈ | Zero telemetry | No data leaves your machine. No cloud. No callbacks. |
| πΎ | Local scan history | SQLite-backed persistence, zero external dependencies |
β‘ Quick Start
# Install globally
npm install -g @lateos/npm-scan
# Scan a single package
npm-scan scan lodash
# Scan your lockfile
npm-scan scan-lockfile
# View latest scans
npm-scan reportNo install? No problem:
npx @lateos/npm-scan scan commanderπ Usage Examples
Scan a single package
# Default JSON output with all findings
npm-scan scan axios
# Generate an SBOM alongside the scan
npm-scan scan express --sbom # CycloneDX JSON
npm-scan scan express --sbom xml # CycloneDX XML
npm-scan scan express --sbom spdx # SPDX 2.3
# Apply a YAML policy
npm-scan scan some-package --policy .npm-scan.ymlScan a lockfile
# Scan the current project's dependencies
npm-scan scan-lockfile
# Scan a specific lockfile
npm-scan scan-lockfile -f ./path/to/package-lock.jsonGenerate reports
# List all recent scans
npm-scan report
# View a specific scan
npm-scan report -i 42
# Generate an HTML report (free) with full findings + NIST table
npm-scan report -i 42 --html
# Print NIST 800-161 compliance table
npm-scan report -i 42 --nist
# Print EU CRA compliance table
npm-scan report --cra
# Text report (free)
npm-scan report --text
# PDF report (premium)
npm-scan report --pdf --license-key <key>
# SIEM export (premium)
npm-scan report --siem cef # Splunk CEF
npm-scan report --siem ecs # Elastic ECS
npm-scan report --siem sentinel # Microsoft Sentinel
npm-scan report --siem qradar # IBM QRadar
# Combine all scans into a single report
npm-scan report --html # all scans
npm-scan report --pdf # all scans (premium)𧬠Detection Capabilities (ATK Taxonomy)
| ID | Attack Class | Detection Method | Severity | NIST 800-161 |
|---|---|---|---|---|
| ATK-001 | Malicious lifecycle scripts (preinstall, postinstall, install) |
Static | π΄ high | SR-3.1 |
| ATK-002 | Obfuscated payload delivery (hex, base64, eval chains) | Static | π medium | SR-4.2 |
| ATK-003 | Credential harvesting (env vars, .npmrc, SSH keys) | Static + Dynamic | π΄ high | SR-5.3 |
| ATK-004 | Persistence via editor/config dirs (.vscode, .claude, .cursor) | Static | π΄ high | SR-6.4 |
| ATK-005 | Network exfiltration (GitHub API, DNS tunneling, HTTP C2) | Static + Dynamic | β« critical | SR-7.5 |
| ATK-006 | Dependency confusion / namespace squatting | Static (lockfile) | π medium | SR-2.2 |
| ATK-007 | Typosquatting (edit-distance matching) | Static | π’ low | SR-2.1 |
| ATK-008 | Tarball tampering (published β source) | Static | π΄ high | SR-8.1 |
| ATK-009 | Conditional/dormant triggers (CI detection, time-based) | Behavioral | π΄ high | SR-9.2 |
| ATK-010 | Sandbox evasion / anti-analysis | Behavioral | π medium | SR-10.3 |
| ATK-011 | Transitive propagation (worm-style lateral spread) | Behavioral | π΄ high | SR-11.4 |
How evasive attacks are caught: ATK-009 detects packages that check
process.env.CI, probe hostnames, or use time-based activation. ATK-010 flagsdebuggerstatements,os.hostname()probes, and env fingerprinting. ATK-011 traces peer dependency graphs to detect worm-like propagation patterns.
Seedocs/attack-taxonomy.mdfor full evasion surface documentation and PoC examples.
π Output & Reports
Formats
| Format | Availability | Description |
|---|---|---|
| JSON | β Free | Structured machine-readable findings |
| HTML | β Free | Rich HTML report with NIST compliance table, severity badges, control matrix |
| Text | β Free | Clean terminal-friendly text report |
| CycloneDX SBOM | β Free | Industry-standard SBOM with findings as vulnerabilities |
| SPDX SBOM | β Free | SPDX 2.3 document format |
| NIST 800-161 | β Free | Control traceability matrix (SR-2.1 β SR-11.4) |
| EU CRA | β Free | Cyber Resilience Act article mapping |
| π Premium | Multi-page PDF with title page, findings table, NIST compliance matrix | |
| Splunk CEF | π Premium | Common Event Format for Splunk ingestion |
| Elastic ECS | π Premium | Elastic Common Schema format |
| Microsoft Sentinel | π Premium | Sentinel-ready formatted output |
| IBM QRadar | π Premium | QRadar DSM-ready format with QID mappings |
Sample output
{
"scanId": 1,
"findings": [
{
"id": "ATK-003",
"severity": "high",
"title": "Credential harvesting",
"evidence": "process.env.NPM_TOKEN detected in postinstall.js:17"
}
]
}βοΈ Configuration & Advanced Usage
Policy-as-code
Define allowlists, severity overrides, suppressions, and fail thresholds in a YAML file:
# .npm-scan.yml
allowlist:
- lodash
- chalk
severity_overrides:
- id: ATK-001
severity: medium
suppress:
- atk_id: ATK-009
- package: some-package
fail_on: highnpm-scan scan target --policy .npm-scan.ymlEnvironment variables
| Variable | Description | Default |
|---|---|---|
NPM_SCAN_LICENSE_KEY |
Premium / enterprise license key | β |
NPM_SCAN_DATA_DIR |
Scan history directory | ./.npm-scan |
NPM_SCAN_LOG_LEVEL |
Log verbosity | info |
Premium licensing
# Generate a development key
node -e "console.log(require('@lateos/npm-scan/backend/license').generateKey('premium'))"
# Use it
npm-scan scan target --license-key <key>
npm-scan report --pdf --license-key <key>
npm-scan report --siem cef --license-key <key>π Integrations
GitHub Action
Scan your lockfile on every PR. Add to .github/workflows/scan.yml:
name: npm-scan
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: lateos/npm-scan-action@v1
with:
lockfile: package-lock.json
policy: .npm-scan.yml # optional
license-key: ${{ secrets.NPM_SCAN_LICENSE_KEY }} # optional (premium)Docker
# Pull and run
docker pull ghcr.io/lateos/npm-scan:cli
docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
# Full pipeline with Compose (Redis-based queue)
docker compose --profile pipeline up -d
# CLI with persistent storage
docker compose --profile cli up -dMulti-arch images available for linux/amd64 and linux/arm64.
CI/CD
# Fail the build if critical findings exist
npm-scan scan express --policy .npm-scan.yml || exit 1πΊοΈ Roadmap & Enterprise Features
Free tier (shipped)
- All 11 ATK detectors (static + behavioral)
- SBOM output (CycloneDX + SPDX)
- HTML, text, and compliance reports (NIST + EU CRA)
- Policy-as-code engine (YAML)
- Local SQLite scan history
- GitHub Action
- Docker images + Compose pipeline
Premium (π license key)
- PDF compliance reports with NIST traceability matrix
- SIEM export (Splunk CEF, Elastic ECS, Microsoft Sentinel, IBM QRadar)
- Dynamic sandbox (gVisor-based β ATK-008β010)
- Reachability analysis (call graph filtering)
Enterprise (π’ custom license)
- SAML 2.0 SSO (Okta, Azure AD, OneLogin, Keycloak)
- REST API + webhooks (FastAPI)
- Team RBAC + audit logs
- Helm chart for Kubernetes deployment
- PostgreSQL backend for hosted/team tier
- SLA-backed priority support
π€ Contributing
We welcome contributions β especially new detectors, improved evasion resistance, and compliance templates.
See docs/attack-taxonomy.md for the ATK governance process. Every new detector requires:
- A proof-of-concept sample
- A detection rule with tests
- False-positive analysis on top-500 npm packages
- NIST 800-161 control mapping
git clone https://github.com/lateos/npm-scan.git
npm install
npm testNeed help?
- π Read the project plan
- 𧬠Review the attack taxonomy
- π Open an issue or PR
π License
Apache-2.0 core + Commons Clause.
See LICENSING.md for the exact boundary between free and premium features.
@lateos/npm-scan β npm supply chain security scanner
Copyright (C) 2026 Lateos
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.Scan your first package now:
npx @lateos/npm-scan scan lodash