# NPM Lockfile Threat Scanner – Compromised Package Checker (`halcyon_twine/npm-lockfile-threat-scanner`) Actor

Check package-lock.json, yarn.lock or pnpm-lock.yaml for known-malicious (compromised) package versions — supply-chain attack triage in seconds, no install needed.

- **URL**: https://apify.com/halcyon\_twine/npm-lockfile-threat-scanner.md
- **Developed by:** [Jeff Rogers](https://apify.com/halcyon_twine) (community)
- **Categories:** Developer tools
- **Stats:** 2 total users, 1 monthly users, 42.9% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet

## Pricing

from $1.00 / 1,000 package-checkeds

This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.

Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event

## What's an Apify Actor?

Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".

## How to integrate an Actor?

If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.

In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):

```bash
npm install apify-client
```

In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):

```bash
pip install apify-client
```

In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):

````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash

In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).

If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).

For usage examples, see the [API](#api) section below.

For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).


# README

## NPM Lockfile Threat Scanner – Compromised Package Checker

**Is your project affected by the latest npm supply-chain attack?** Paste a `package-lock.json`, `yarn.lock` or `pnpm-lock.yaml` (or point at a URL) and get an answer in seconds. The scanner checks every package version in your lockfile against the [OSV.dev](https://osv.dev) malicious-package feed (the OpenSSF malicious-packages database, `MAL-*` advisories) — the same data that flagged the 2026 axios, node-ipc and Red Hat "Miasma" compromises **on the day they happened**.

No CLI to install, no repo to clone, no signup with a security vendor. Works from a browser, from CI via the API, or as an **MCP tool** your AI agent can call.

### What it detects

Known-**malicious** package versions — account takeovers, trojanized releases, credential stealers, worms — as catalogued by OSV/OpenSSF. This is triage for incidents like:

- **Axios takeover (March 2026)** — versions 1.14.1 / 0.30.4 shipping a cross-platform RAT via a phantom `plain-crypto-js` dependency
- **node-ipc (May 2026)** — three versions with an embedded credential stealer
- **Red Hat "Miasma" (June 2026)** — ~32 `@redhat-cloud-services` packages published with *valid SLSA provenance*
- **Shai-Hulud worm & chalk/debug takeover (2025)**

For the major incidents above, findings are **enriched with hand-curated incident context**: what the payload does, what *else* to hunt for (exfiltration endpoints, dropped files, rogue repos), and links to the primary vendor write-ups — the stuff a terse advisory doesn't tell you at 11pm during an incident.

> This scanner focuses on *malicious code*, not ordinary CVEs. For general vulnerability audits use `npm audit` or OSV-Scanner; use this when you need a fast "are we hit?" answer.

### How to check a lockfile for malicious packages

1. Paste your lockfile into **Lockfile content** (or add raw URLs under **Lockfile URLs** — GitHub `blob` links are accepted).
2. Run. A 2,000-dependency lockfile typically finishes in a few seconds.
3. Read the verdict:
   - **CLEAN** — no known-malicious versions matched.
   - **COMPROMISED-PACKAGES-FOUND** — the dataset lists each hit with the advisory, incident context, hunting guidance and a remediation recommendation.

You can also skip the lockfile and check specific packages via the **Package list** input (`axios@1.14.1`, one per line) — handy when a new advisory drops and you just want to check the names from the headline.

#### Supported lockfile formats

- `package-lock.json` / `npm-shrinkwrap.json` (npm, lockfile versions 1–3)
- `yarn.lock` (Yarn 1 classic and Yarn 2+ Berry)
- `pnpm-lock.yaml` (v5, v6 and v9 formats)

### Run it from CI or scripts

Call the Actor via the Apify API on every dependency update PR, or on a schedule. A non-empty `findings` array (or `verdict != "CLEAN"` in the `OUTPUT` record) is your signal to fail the build. Pair it with an [Apify schedule](https://docs.apify.com/platform/schedules) + webhook to get standing daily checks of your dependency list — new advisories are matched as soon as OSV publishes them.

### Privacy: what happens to my lockfile?

Lockfiles are mostly public data (package names, versions, registry URLs), but they can reveal **internal package names** — exactly the intelligence a dependency-confusion attacker wants — and private registry hostnames.

- **Skip private/internal packages** is ON by default: any package that resolved from a private registry, git, `file:` or `workspace:` source is counted and listed as *skipped*, but its name is **never sent to the external OSV API**.
- Your lockfile is processed inside your own Apify account. This Actor does not copy, retain or share your input; results live in your run's dataset and key-value store under your account's standard retention.
- Only `name@version` pairs of publicly-resolved packages are sent to OSV.dev for matching.

Note: Yarn Berry lockfiles don't record registry URLs, so private-registry detection there is limited to non-`npm:` protocols — redact internal entries yourself if that matters for you.

### Disclaimer

This tool matches your dependencies against *known, publicly catalogued* malicious package versions. A **CLEAN verdict is not a guarantee of safety** — it means no match in the OSV.dev feed at scan time. Zero-day compromises, not-yet-catalogued packages and non-npm attack vectors are out of scope. Findings and remediation guidance are provided as-is, without warranty; validate against the linked advisories before taking destructive action. You are responsible for the files you submit and for your own incident response.

### Output example

```json
{
  "verdict": "MALICIOUS",
  "package": "axios",
  "version": "1.14.1",
  "advisories": [{ "id": "MAL-2026-2307", "summary": "Malicious code in axios (npm)", "published": "2026-03-31" }],
  "incident": {
    "name": "Axios maintainer account takeover (March 2026)",
    "payload": "Hijacked lead-maintainer npm account published axios 1.14.1 and 0.30.4 carrying a phantom dependency, plain-crypto-js@4.2.1...",
    "huntFor": ["plain-crypto-js anywhere in lockfiles — it has no legitimate use", "..."]
  },
  "recommendation": "Remove or pin away from axios@1.14.1 immediately, rebuild the lockfile, and rotate credentials..."
}
````

The full scan summary (verdict, counts, skipped private packages, parse errors) is stored as the run's `OUTPUT` key-value record.

### FAQ

**How fresh is the data?** OSV.dev ingests the OpenSSF malicious-packages database continuously; for every major 2026 incident the malicious versions were catalogued the same day the attack was disclosed. Each scan queries OSV live — there is no stale local mirror.

**Does it find ordinary CVEs (vulnerabilities)?** No — by design it reports only *malicious* code advisories (`MAL-*`), so the signal is "you are compromised", never "you should upgrade sometime". That's what makes it usable as a CI gate.

**Will it flag my internal/private packages?** With the default settings it never even transmits their names. See the Privacy section.

**What does it cost?** Pricing is pay-per-event: a flat fee per package version checked. A typical application lockfile (1,000–3,000 unique packages) costs a few cents per scan.

# Actor input Schema

## `lockfileContent` (type: `string`):

Paste the full content of a <code>package-lock.json</code>, <code>npm-shrinkwrap.json</code>, <code>yarn.lock</code> or <code>pnpm-lock.yaml</code>. Format is auto-detected.

## `lockfileUrls` (type: `array`):

Direct URLs to lockfiles (raw file URLs). GitHub <code>blob</code> URLs are converted to raw automatically. Example: <code>https://github.com/org/repo/blob/main/package-lock.json</code>

## `packages` (type: `array`):

Alternative to a lockfile: check specific packages, one <code>name@version</code> per line, e.g. <code>axios@1.14.1</code> or <code>@scope/pkg@2.0.0</code>. The prefilled demo checks one known-compromised version (axios 1.14.1) and two clean packages — replace with your own, or use a lockfile field instead.

## `skipPrivateRegistries` (type: `boolean`):

When enabled (recommended), packages that resolved from private registries, git, file: or workspace: sources are counted but NEVER sent to the external vulnerability API — so your internal package names don't leave the run. They are listed as skipped in the output.

## `maxPackages` (type: `integer`):

Safety cap on the number of unique package versions queried (and billed) per run.

## Actor input object example

```json
{
  "packages": [
    "axios@1.14.1",
    "lodash@4.17.21",
    "express@4.19.2"
  ],
  "skipPrivateRegistries": true,
  "maxPackages": 15000
}
```

# API

You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.

## JavaScript example

```javascript
import { ApifyClient } from 'apify-client';

// Initialize the ApifyClient with your Apify API token
// Replace the '<YOUR_API_TOKEN>' with your token
const client = new ApifyClient({
    token: '<YOUR_API_TOKEN>',
});

// Prepare Actor input
const input = {
    "packages": [
        "axios@1.14.1",
        "lodash@4.17.21",
        "express@4.19.2"
    ]
};

// Run the Actor and wait for it to finish
const run = await client.actor("halcyon_twine/npm-lockfile-threat-scanner").call(input);

// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.dir(item);
});

// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs

```

## Python example

```python
from apify_client import ApifyClient

# Initialize the ApifyClient with your Apify API token
# Replace '<YOUR_API_TOKEN>' with your token.
client = ApifyClient("<YOUR_API_TOKEN>")

# Prepare the Actor input
run_input = { "packages": [
        "axios@1.14.1",
        "lodash@4.17.21",
        "express@4.19.2",
    ] }

# Run the Actor and wait for it to finish
run = client.actor("halcyon_twine/npm-lockfile-threat-scanner").call(run_input=run_input)

# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start

```

## CLI example

```bash
echo '{
  "packages": [
    "axios@1.14.1",
    "lodash@4.17.21",
    "express@4.19.2"
  ]
}' |
apify call halcyon_twine/npm-lockfile-threat-scanner --silent --output-dataset

```

## MCP server setup

```json
{
    "mcpServers": {
        "apify": {
            "command": "npx",
            "args": [
                "mcp-remote",
                "https://mcp.apify.com/?tools=halcyon_twine/npm-lockfile-threat-scanner",
                "--header",
                "Authorization: Bearer <YOUR_API_TOKEN>"
            ]
        }
    }
}

```

## OpenAPI specification

```json
{
    "openapi": "3.0.1",
    "info": {
        "title": "NPM Lockfile Threat Scanner – Compromised Package Checker",
        "description": "Check package-lock.json, yarn.lock or pnpm-lock.yaml for known-malicious (compromised) package versions — supply-chain attack triage in seconds, no install needed.",
        "version": "0.1",
        "x-build-id": "2UOndg5V5Xuts7LR9"
    },
    "servers": [
        {
            "url": "https://api.apify.com/v2"
        }
    ],
    "paths": {
        "/acts/halcyon_twine~npm-lockfile-threat-scanner/run-sync-get-dataset-items": {
            "post": {
                "operationId": "run-sync-get-dataset-items-halcyon_twine-npm-lockfile-threat-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        },
        "/acts/halcyon_twine~npm-lockfile-threat-scanner/runs": {
            "post": {
                "operationId": "runs-sync-halcyon_twine-npm-lockfile-threat-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor and returns information about the initiated run in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/runsResponseSchema"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/acts/halcyon_twine~npm-lockfile-threat-scanner/run-sync": {
            "post": {
                "operationId": "run-sync-halcyon_twine-npm-lockfile-threat-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        }
    },
    "components": {
        "schemas": {
            "inputSchema": {
                "type": "object",
                "properties": {
                    "lockfileContent": {
                        "title": "Lockfile content (paste)",
                        "type": "string",
                        "description": "Paste the full content of a <code>package-lock.json</code>, <code>npm-shrinkwrap.json</code>, <code>yarn.lock</code> or <code>pnpm-lock.yaml</code>. Format is auto-detected."
                    },
                    "lockfileUrls": {
                        "title": "Lockfile URLs",
                        "type": "array",
                        "description": "Direct URLs to lockfiles (raw file URLs). GitHub <code>blob</code> URLs are converted to raw automatically. Example: <code>https://github.com/org/repo/blob/main/package-lock.json</code>",
                        "items": {
                            "type": "string"
                        }
                    },
                    "packages": {
                        "title": "Package list",
                        "type": "array",
                        "description": "Alternative to a lockfile: check specific packages, one <code>name@version</code> per line, e.g. <code>axios@1.14.1</code> or <code>@scope/pkg@2.0.0</code>. The prefilled demo checks one known-compromised version (axios 1.14.1) and two clean packages — replace with your own, or use a lockfile field instead.",
                        "items": {
                            "type": "string"
                        }
                    },
                    "skipPrivateRegistries": {
                        "title": "Skip private/internal packages",
                        "type": "boolean",
                        "description": "When enabled (recommended), packages that resolved from private registries, git, file: or workspace: sources are counted but NEVER sent to the external vulnerability API — so your internal package names don't leave the run. They are listed as skipped in the output.",
                        "default": true
                    },
                    "maxPackages": {
                        "title": "Max packages to check",
                        "minimum": 1,
                        "type": "integer",
                        "description": "Safety cap on the number of unique package versions queried (and billed) per run.",
                        "default": 15000
                    }
                }
            },
            "runsResponseSchema": {
                "type": "object",
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "actId": {
                                "type": "string"
                            },
                            "userId": {
                                "type": "string"
                            },
                            "startedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "finishedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "status": {
                                "type": "string",
                                "example": "READY"
                            },
                            "meta": {
                                "type": "object",
                                "properties": {
                                    "origin": {
                                        "type": "string",
                                        "example": "API"
                                    },
                                    "userAgent": {
                                        "type": "string"
                                    }
                                }
                            },
                            "stats": {
                                "type": "object",
                                "properties": {
                                    "inputBodyLen": {
                                        "type": "integer",
                                        "example": 2000
                                    },
                                    "rebootCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "restartCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "resurrectCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "computeUnits": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "options": {
                                "type": "object",
                                "properties": {
                                    "build": {
                                        "type": "string",
                                        "example": "latest"
                                    },
                                    "timeoutSecs": {
                                        "type": "integer",
                                        "example": 300
                                    },
                                    "memoryMbytes": {
                                        "type": "integer",
                                        "example": 1024
                                    },
                                    "diskMbytes": {
                                        "type": "integer",
                                        "example": 2048
                                    }
                                }
                            },
                            "buildId": {
                                "type": "string"
                            },
                            "defaultKeyValueStoreId": {
                                "type": "string"
                            },
                            "defaultDatasetId": {
                                "type": "string"
                            },
                            "defaultRequestQueueId": {
                                "type": "string"
                            },
                            "buildNumber": {
                                "type": "string",
                                "example": "1.0.0"
                            },
                            "containerUrl": {
                                "type": "string"
                            },
                            "usage": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "integer",
                                        "example": 1
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "usageTotalUsd": {
                                "type": "number",
                                "example": 0.00005
                            },
                            "usageUsd": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "number",
                                        "example": 0.00005
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
```
