@cyberhub/pkgtrust

pkgtrust

Trust scoring for npm packages — maintainer risk, package health, and supply chain signals.

Before you npm install, know what you're getting into.

# Install globally (recommended)
npm install -g @cyberhub/pkgtrust
pkgtrust scan express

# Or use via npx
npx --package=@cyberhub/pkgtrust pkgtrust scan express

  express@4.21.0
  ████████████████░░░░ 82/100 A TRUSTED
  Confidence: high

  Breakdown:
    Maintainer Trust:  ██████████████████░░ 88
    Package Health:    ████████████████░░░░ 78
    Supply Chain:      ████████████████████ 95
    Community:         ██████████████░░░░░░ 72

  Flags:
    MEDIUM   30 direct dependencies
    LOW      No provenance attestation on latest version
    INFO     Published with 2FA enabled (signed)

Install

# Install globally (recommended)
npm install -g @cyberhub/pkgtrust

# Then use from anywhere
pkgtrust scan lodash
pkgtrust compare axios got node-fetch
pkgtrust maintainer sindresorhus

# Or use via npx (no install needed)
npx --package=@cyberhub/pkgtrust pkgtrust scan lodash

Commands

Scan a package

pkgtrust scan express
pkgtrust scan @anthropic-ai/sdk
pkgtrust scan react --json

Scan your project

Scans all dependencies in package.json:

pkgtrust scan

Compare packages

pkgtrust compare axios got node-fetch

Output:

  Metric               axios        got          node-fetch
  ─────────────────── ──────────── ──────────── ────────────
  Trust Score          78           82           85
  Grade                B+           A            A
  Maintainer Trust     75           80           90
  Package Health       80           85           82
  Supply Chain         85           90           95
  Flags                3            2            1

  Winner: node-fetch

Maintainer lookup

pkgtrust maintainer sindresorhus

CI gate

Fail the build if any dependency scores below threshold:

pkgtrust gate --min-score=50

Exit code 0 = pass, 1 = fail. Use in CI:

- run: npx @cyberhub/pkgtrust gate --min-score=50

JSON output

pkgtrust scan express --json
pkgtrust scan --json > trust-report.json

Scoring Methodology

Each package gets a composite trust score (0-100) from four categories:

Category	Weight	What it measures
Maintainer Trust	40%	Account age, publication record, maintainer changes, multi-maintainer, publish cadence, email domain, 2FA
Package Health	30%	Install scripts, dependency count, license, provenance, size changes, binary detection, deprecation
Supply Chain	20%	Typosquatting risk, known compromises, source-registry consistency
Community	10%	GitHub stars, contributors, commit recency, CI, downloads

Grades

Grade	Score	Tier
A+	95-100	Trusted
A	85-94	Trusted
B+	75-84	Standard
B	65-74	Standard
C+	55-64	Caution
C	45-54	Caution
D	30-44	Caution
F	0-29	Avoid

Confidence

Shows how many data signals were available:

• High — 70%+ of signals available (npm metadata + GitHub + downloads)
• Medium — 40-69% signals
• Low — <40% signals (score less reliable)

Known Compromise Database

pkgtrust cross-references against historically compromised packages:

Package	Incident
event-stream	Malicious flatmap-stream injection (2018)
ua-parser-js	Cryptominer in v0.7.29/0.8.0/1.0.0 (2021)
colors	Maintainer sabotaged with infinite loop (2022)
faker	Maintainer deleted all code (2022)
node-ipc	Protestware targeting Russian IPs (2022)
@ledgerhq/connect-kit	Wallet drainer injection (2023)

Programmatic API

import { scanPackage, scanProject, comparePackages } from '@cyberhub/pkgtrust';

// Score a single package
const score = await scanPackage('express');
console.log(score.score, score.grade, score.tier);

// Scan project dependencies
const result = await scanProject('./my-project');
console.log(result.summary.averageScore);

// Compare alternatives
const comparison = await comparePackages(['axios', 'got', 'node-fetch']);
console.log(comparison.winner);

Options

Flag	Description
--json	Output as JSON
--min-score=N	Gate threshold (default: 50)
--sync	Sync scores to nrupak.com for trending

How it works

• Fetches package metadata from registry.npmjs.org
• Queries 8 security databases in parallel (GitHub Advisories, OSV.dev, npm audit, Snyk, Socket.dev, npms.io, Bundlephobia, deps.dev)
• Fetches GitHub repo health and OpenSSF Scorecard
• Scores across 18+ signals in 4 categories with live CVE data
• Applies transitive risk — if your dependency depends on a breached package, you get flagged
• Applies maintainer cross-reference — if a maintainer has compromised history, all their packages get flagged
• Produces composite score with letter grade and risk tier
• Stores results locally + optionally syncs to nrupak.com dashboard

Features

• 8 Security Databases: GitHub Advisories, OSV.dev, npm audit, Snyk, Socket.dev, npms.io, Bundlephobia, deps.dev
• Transitive Risk: Flags packages that depend on breached dependencies
• Maintainer Cross-Reference: Flags packages by compromised maintainers
• Package Compare: pkgtrust compare axios got node-fetch
• CI Gate: pkgtrust gate --min-score=50 fails builds below threshold
• Dependency Tree: Visualizes full dep chain with vuln indicators
• GitHub PR Bot: Auto-comments trust scores on PRs with dependency changes
• Leaderboard: Top packages ranked by trust at nrupak.com/trust/leaderboard
• Verified Maintainers: Maintainers can claim and verify their profiles

Dashboard

Public trust scores at nrupak.com/trust:

• Search: Look up any npm package or maintainer
• Browse: Filter all scored packages by tier, sort by score/date
• Compare: Side-by-side comparison at /trust/compare
• Leaderboard: Top packages ranked at /trust/leaderboard
• Maintainer Profiles: OSINT view with GitHub data, packages, verified badges
• GitHub PR Bot: Setup at /trust/github-app

Zero Dependencies

pkgtrust has zero runtime dependencies. Built with only Node.js built-in fetch API.

License

MIT — Nrupak Shah

Links

• npm
• GitHub
• Dashboard
• ShieldPM — companion package firewall