I shipped skillcraft.ai !!!
Skillcraft helps you find the best learning resources tailored to your goals. Get a personalized roadmap with the best courses, books, and tutorials. Try it out, for free!
Up to date
Published
2 min read

Trevor I. Lasn

Building tools for developers. Currently building skillcraft.ai and blamesteve.lol

NPQ: Open source CLI tool that audits and protects your npm installs from malicious packages

A CLI tool that checks packages for security issues and social engineering attacks before they hit your project

I stumbled across the NPQ CLI tool while browsing GitHub, and it addresses something that’s been bugging me for years. Every time you run npm install, you’re basically trusting random strangers on the internet not to mess with your computer.

NPQ sits between you and npm, checking packages for sketchy behavior before they touch your project. Here’s the general idea:

Terminal window
npm install -g npq
npq install next
Packages with issues found:
┌─
> next@latest
Supply Chain Security · Detected a recently published version (published 2 days ago) - consider waiting for community review
└─
Summary:
- Total packages: 1
- Total errors: 1
- Total warnings: 0
Continue install ? (y/N) n

Why Audit Your Packages?

Here’s what happens when you install a package. You type npm install package and suddenly you’ve downloaded code from someone you’ve never met. That code runs on your machine with your permissions. It can read files, make network requests, and do whatever it wants.

Most packages are fine. But some aren’t. Maybe they’re typosquatting popular libraries. Maybe they’re trying to steal your environment variables. Maybe they’re just poorly maintained and full of vulnerabilities.

You probably don’t check every package manually. Who has time for that?

NPQ acts like a bouncer for your npm installs. When you try to install something, it checks a bunch of things first:

[1] The package name looks legitimate and isn’t trying to impersonate something popular.

[2] The maintainer has a reasonable history and isn’t brand new with no other packages.

[3] The package doesn’t have obvious red flags like requesting unnecessary permissions or making suspicious network calls.

If something looks wrong, NPQ blocks the install and tells you why. If everything checks out, your install proceeds normally.

Since npq is a pre-step to ensure that the npm package you’re installing is safe, you can safely embed it in your day-to-day npm usage so there’s no need to remember to run npq explicitly.

Terminal window
alias npm='npq-hero'

Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.


Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev
12 min read

Robust Data Fetching Architecture For Complex React/Next.js Apps

How I use the 'Three Layers of Data' architecture pattern for React and Next.js apps to avoid common pitfalls, tech debt, and improve performance

May 4, 2025
Read article
Webdev
7 min read

How to Land Your First Tech Job

A developer's guide to tech interviews - from someone who sits on both sides of the table

Oct 24, 2024
Read article
Webdev
3 min read

Native Popover Element with HTML

Create overlays and dropdowns easily with the native HTML popover API

Jan 24, 2025
Read article
Webdev
4 min read

Speed Up Your Website With rel='preconnect' and increase PageSpeed Insights Score

Using link rel='preconnect' can improve your website's performance by reducing connection setup times to key external domains.

Sep 13, 2024
Read article
Webdev
3 min read

CSS @supports: Write Future-Proof CSS

Detect CSS feature support and provide smart fallbacks with @supports

Dec 6, 2024
Read article
Webdev
13 min read

10 Essential Terminal Commands Every Developer Should Know

List of useful Unix terminal commands to boost your productivity. Here are some of my favorites.

Aug 21, 2024
Read article
Webdev
3 min read

Form Validation That Doesn't Annoy Users: CSS :user-valid and :user-invalid

The new pseudo-classes :user-valid and :user-invalid give us a smarter way to style form validation states based on user interaction

Dec 12, 2024
Read article
Webdev
3 min read

scrollbar-width & scrollbar-gutter: CSS Properties for Layout Control

Prevent content shifts and refine scrollable UIs with scrollbar-width and scrollbar-gutter

Dec 19, 2024
Read article
Webdev
3 min read

align-content: The Simplest Way to Center Content with CSS

Finally, we can center things in block layouts without flexbox gymnastics

Dec 13, 2024
Read article

This article was originally published on https://www.trevorlasn.com/blog/npq-protects-npm-installs-from-malicious-packages. It was written by a human and polished using grammar tools for clarity.