845,204
Total open source malware packages logged
Cumulative count through Q2 2025. Most of these target npm.
DepCheq — npm dependency firewall for CI pipelines
vibekill@dev: ~/src
$ cat README.md
VibeKill makes open source tools for npm supply chain security.
Solo founder. Open source. Shipping in public.
First up: DepCheq - a CI dependency firewall for npm.
$ _
DepCheq
Scans your lockfile. Checks the registry. Blocks the bad stuff before it installs.
The npm supply chain problem
Not hypothetical or exaggerated. This is what's happening on the registry right now.
16,279
New malicious packages in Q2 2025 alone
That is three months. The number goes up every quarter.
150,000
Packages from one automated campaign
One person with a script flooded the npm registry overnight. Nobody reviewed them in time.
Recent Events
Mar 31, 2026
Axios npm compromise
Malicious code shipped in published versions. Caught after the fact.
Mar 31, 2026
Axios maintainer incident thread
Timeline and remediation from the maintainers. Read it if you use Axios.
Apr 1, 2026
Microsoft publishes mitigation guidance
Detection and response guidance for teams affected by the Axios compromise.
2026 report
Sonatype open source malware baseline updated
Latest cumulative numbers across npm, PyPI, and other ecosystems.
What DepCheq looks for
It reads your lockfile and checks registry metadata. If something looks off, it tells you before install.
Install scripts on new deps
A dependency you've never seen before wants to run code on install. That gets flagged.
Flags postinstall scripts in newly added npm transitive dependencies.
Typosquat + install script
Name looks like a popular package but isn't. And it runs a postinstall. Classic combo.
Detects typosquatting packages on npm that also execute install scripts.
New transitive dependency
Something showed up in your lockfile that wasn't there before. You should know about it.
Surfaces new transitive dependencies introduced by lockfile changes.
Package age
Published yesterday, zero downloads, and now it is in your tree. Worth a look.
Flags recently published npm packages with no download history.
Maintainer change
Different person published the latest version. Could be a handoff, could be a takeover.
Monitors for npm maintainer changes that may indicate account compromise.
Popularity mismatch
A package with 12 weekly downloads just got pulled into something with 2 million. Weird.
Identifies low-download npm packages pulled into high-traffic dependency trees.
FAQ
Short answers to the questions teams ask first.
What is DepCheq?
DepCheq is a dependency firewall for npm. It runs in CI, checks your lockfile and registry metadata, and blocks risky packages before install.
How does DepCheq detect malicious npm packages?
It flags common supply-chain risk patterns: install scripts on new dependencies, typosquats, unexpected transitive additions, maintainer changes, and low-trust package signals.
Is DepCheq open source?
Yes. The core is open source, and VibeKill is building in public while shipping practical security tooling.
How do I add DepCheq to my CI pipeline?
Start with the docs and GitHub setup instructions, then run DepCheq in your pipeline before dependency install so bad packages are blocked early.
Know what you're installing
DepCheq is open source and runs in any CI pipeline that supports npm.
Built by Jonah Reed | Builder, VibeKill