npm-scan — npm supply chain security scanner

npm-scan detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm propagation that npm audit, Snyk, and Socket miss. It includes detection for major 2026 campaigns (Megalodon, Mini Shai-Hulud, TrapDoor, node-ipc, typosquatting, axios poisoning), plus HuggingFace impersonation, VSIX extensions, and Python CVE-2026-48710. Features: SBOM, SARIF, policy-as-code, HTML/PDF reports, Docker, GitHub Action, zero telemetry. Free tier includes all detectors; premium adds PDF and SIEM export. 

https://github.com/lateos-ai/npm-scan