package.json
Pick a scenario, then read the manifest. The dangerous part of any dependency is rarely the
code you import — it is what runs during install: the
scripts lifecycle hooks, transitive dependencies, and bin links.
Everything here is simulated — no real code runs, nothing leaves your browser.
You typed one package name, but npm installs the whole transitive tree. You are
trusting every box below — not just your direct dependency. Badges flag which
packages declare install scripts (postinstall etc.) and which are flagged malicious in this scenario.
Run npm install and watch each phase: resolve → fetch → link bin →
run lifecycle scripts. Toggle --ignore-scripts to neutralize the most common
attack path and see the difference in the log.
When a malicious lifecycle script runs, this is the kind of data it gets at — the four moves:
read environment variables, read repo/home files, make an outbound request, and modify your
source. All values here are fake and never leave your browser. Run a malicious
scenario to populate it, then enable --ignore-scripts and run again to watch it go quiet.
Before you ever run install, these are the signals to grep for in a manifest and lockfile diff.
This panel scans the current package.json and dependency tree.
Toggle the controls a hardened project/CI would apply and watch the residual risk drop. No single control is enough — supply-chain defense is layered.