node package manager



Audits npm packages for any known-malicious package names.


npm install npm-malice-audit -g


This is a CLI tool, so it is invoked from the command line.

You must provide a manifest of packages. A manifest is an array of npm package names and can be provided in two ways:


Use this if you want to check multiple packages without installing them.

First, the tool will look for an npm-malice-audit.json file with contents like this:



Use this if you want to check the dependencies of a project you have installed/cloned locally.

Second, the tool will look for a package.json file and use all of its dependencies, devDependencies, peerDependencies, and optionalDependencies as the package manifest.


If a non-empty manifest is found, a report similar to the following will be produced:

$ npm-malice-audit
| async |
Audited 673 packages.
Completed in 79.481 seconds.
Found 0 malicious packages in the tree!
| lodash |
Audited 1 packages.
Completed in 0.202 seconds.
Found 0 malicious packages in the tree!
| npm-remote-ls |
Audited 405 packages.
Completed in 42.203 seconds.
Found 0 malicious packages in the tree!
= SUMMARY ==============================
Audited 1079 total packages.
Completed audit in 121.899 seconds.
Found a total of 0 malicious packages!

You may also see an = ERRORS = section above the = SUMMARY =. This includes messages logged when there are problems looking up packages.

Note: Large packages with many dependencies can take a long time to resolve due to the need for many requests - patience is a virtue!