I Built a Zero-Dependency Supply-Chain Security Scanner for Node.js — 18 Checks, One Command

The npm install trust problem When you run npm install, you're trusting hundreds of strangers to not run malicious code on your machine. And that trust has been broken — repeatedly. Packages like event-stream, ua-parser-js, and coa were hijacked to steal credentials, install backdoors, and exfiltrate data through postinstall scripts. By the time npm install finishes, the damage is already done. The traditional answer? npm audit. But that only catches known CVEs. It completely misses: Typosquatted packages hiding in your lockfile Dropper packages that curl | sh in postinstall Tampered package.json files swapped after install C2 domains hardcoded in dependencies Stolen npm tokens used to publish without CI/CD provenance I needed something better. So I built it. Meet sec-check — one command, 18 security checks, zero dependencies npx @sathyendra/security-checker That's the entire setup. No config files, no API keys, no build step. It scans your project and tells you what's wrong: ─────────