I built a free IDE extension to catch malicious npm packages before they wreck your project

Supply-chain attacks via npm are up year-over-year — packages like event-stream, after the fact, so I built NPM Safety Guard. It scans your package.json and lockfiles right inside your editor — no separate CLI step. Here's what it currently catches across 22 detection layers: Known malicious packages — DPRK RAT drops, Lazarus-linked packages, event-stream clones CVEs — via OSV.dev, cached locally (free, no API key needed) Typosquatting & homoglyph attacks — catches lodahs, reàct, and AI-hallucinated package names Install script hooks — flags preinstall/postinstall before you run them Deep tarball AST scan — detects obfuscation, eval, and payload patterns in the actual source Dependency confusion — scoped packages planted on public npm to hijack private installs Exposed secrets — API keys, tokens, private keys accidentally left in .env, .npmrc, .pem MCP server config scanner — catches typosquatted or malicious MCP transport configs Supply chain graph — interactive force-directed graph with risk overlay from your lockfile OSSF Scorecard + Socket.dev score — security hygiene at a glance VS Code / Cursor / Windsurf → VS Code Marketplace VS Codium / open-source IDEs → Open VSX Registry WebStorm / IntelliJ IDEA / all JetBrains IDEs → JetBrains Marketplace All free. No account required for the core layers. MIT licensed on the VS Code side. The VS Code extension is TypeScript. The JetBrains plugin is Kotlin. They share the same CVE lookups hit OSV.dev with a 24-hour local cache so you're not waiting on a network Have you been burned by a supply-chain attack before? Or do you have a detection layer you wish existed? Drop it in the comments — I'm actively adding new signatures.