Open-source tool · Supply chain security

npmsecure

npm security scanner, hardener, and malware detector for projects that run agentic JavaScript, Node tooling, and dependency-heavy automation.

Install Read Research
Why it exists

The top KYA signal already has a mitigation.

The KYA Agent Registry shows dependency vulnerability as the largest repeat finding category. npmsecure exists because the first security layer for financial AI agents is not a new abstraction. It is knowing what code enters the runtime.

install
$ pip install npmsecure
$ npmsecure scan --cve --json
recursive audit complete
run npmsecure harden to reduce unsafe defaults
Capabilities

Use npmsecure locally, in CI, or as a pre-install guard before agent projects add new packages.

01

Recursive npm audit

Find nested package.json files and report vulnerability severity across many projects.

02

OSV CVE checks

Cross-reference dependencies against open vulnerability data for broader coverage.

03

Lockfile health

Flag missing lockfiles, unsafe version ranges, and dependency drift.

04

Malware detection

Detect known malicious packages and suspicious exfiltration or obfuscation patterns.

05

npm hardening

Set safer defaults like exact versions, audit levels, and script controls.

06

CI output

Emit JSON or SARIF and fail builds when risk crosses your threshold.