Dev.to
6/18/2026

I built a free IDE extension to catch malicious npm packages before they wreck your project
Short summary
A developer created NPM Safety Guard, a free MIT-licensed IDE extension that scans package.json and lockfiles for malicious packages. It catches 22 threat types including known malware, CVEs, typosquatting, install hooks, and obfuscated code via local AST scanning. Available for VS Code, JetBrains IDEs, and VSCodium with no account required.
- •Detects 22 supply-chain attack vectors: malware, CVEs, typosquatting, dependency confusion, secret leaks, and obfuscation
- •Integrated directly into VS Code, Cursor, Windsurf, JetBrains IDEs, and VSCodium—no CLI required
- •Free, MIT-licensed, requires no API keys or account for core detection layers
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



