npm-security-analyzer
Advanced tools
A tool to analyze suspicious npm packages for security vulnerabilities and generate GitHub Copilot templates
A command-line tool to generate template content for analyzing suspicious npm packages, designed specifically for use with GitHub Copilot.
This tool generates template files to help security researchers analyze potentially malicious npm packages with GitHub Copilot by:
The tool is specifically designed to work with GitHub Copilot to help analyze and explain security vulnerabilities without actually executing potentially malicious code.
# Install globally
npm install -g npm-security-analyzer
# Or run with npx
npx npm-security-analyzer
npm-security-analyzer --issue <issue-number> --repo <repo>
# Analyze an npm package mentioned in a GitHub security issue
npm-security-analyzer --issue 15035 --repo github/octoscan-results
# Specify custom patterns to search for
npm-security-analyzer --patterns "eval(" "base64" "process.env" --output ./my-analysis
Options:
-V, --version output the version number
-i, --issue <number> GitHub issue number containing the vulnerability report
-r, --repo <repo> GitHub repository path (default: "github/octoscan-results")
-p, --patterns <patterns...> Suspicious patterns to search for
-o, --output <directory> Directory to save analysis results (default: ~/security-reports)
-v, --verbose Enable verbose output
-h, --help display help for command
For the best experience with GitHub Copilot, use this prompt:
Execute an npm security analysis using npm-security-analyzer:
1. Analyze the vulnerability report:
npm-security-analyzer --issue <issue> --repo <repo> --output ./analysis-results
2. Once complete, review the JSON report at ./analysis-results/analysis_*.json and the human-readable Markdown file at ./analysis-results/analysis_*.md, then provide:
- A summary of detected vulnerabilities
- Technical explanation of the exploit mechanism
- Code snippets of suspicious patterns found (highlight the malicious portions)
- Probable attack vectors and potential impact
- Recommended mitigation steps
3. Compare the compromised package with the legitimate version
4. Provide a detailed risk assessment
5. Generate a comprehensive security advisory in human-readable Markdown format that explains the vulnerability in clear terms for both technical and non-technical audiences
The tool generates several outputs in the specified directory:
analysis_<timestamp>.json - Complete JSON report with technical detailsanalysis_<timestamp>.md - Human-readable Markdown summary with vulnerability explanationspackage_contents/ - Extracted package files for inspectiondiffs/ - Diffs between legitimate and suspicious versions (if available)human_report_<timestamp>.md - Comprehensive human-readable explanation of findings suitable for sharing with both technical and non-technical stakeholdersMIT
FAQs
A tool to analyze suspicious npm packages for security vulnerabilities and generate GitHub Copilot templates
We found that npm-security-analyzer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Experts push back on new claims about AI-driven ransomware, warning that hype and sponsored research are distorting how the threat is understood.
Security News
Ruby's creator Matz assumes control of RubyGems and Bundler repositories while former maintainers agree to step back and transfer all rights to end the dispute.
Research
/Security News
Socket researchers found 10 typosquatted npm packages that auto-run on install, show fake CAPTCHAs, fingerprint by IP, and deploy a credential stealer.