Published Jul 26, 2025

2 min read

Trevor I. Lasn

Builder, founder, based in Tartu, Estonia. Been coding for over a decade, led engineering teams, writing since 2015.

NPQ: Open source CLI tool that audits and protects your npm installs from malicious packages

A CLI tool that checks packages for security issues and social engineering attacks before they hit your project

I stumbled across the NPQ CLI tool while browsing GitHub, and it addresses something that’s been bugging me for years. Every time you run npm install, you’re basically trusting random strangers on the internet not to mess with your computer.

NPQ sits between you and npm, checking packages for sketchy behavior before they touch your project. Here’s the general idea:

1
➜ npm install -g npq
2

3
➜ npq install next
4
Packages with issues found:
5

6
 ┌─
7
 │ >  next@latest
8
 │
9
 │ ✖ Supply Chain Security · Detected a recently published version (published 2 days ago) - consider waiting for community review
10
 └─
11

12

13
Summary:
14

15
 - Total packages: 1
16
 - Total errors:   1
17
 - Total warnings: 0
18

19

20
Continue install ? (y/N) n

Why Audit Your Packages?

Here’s what happens when you install a package. You type npm install package and suddenly you’ve downloaded code from someone you’ve never met. That code runs on your machine with your permissions. It can read files, make network requests, and do whatever it wants.

Most packages are fine. But some aren’t. Maybe they’re typosquatting popular libraries. Maybe they’re trying to steal your environment variables. Maybe they’re just poorly maintained and full of vulnerabilities.

You probably don’t check every package manually. Who has time for that?

NPQ acts like a bouncer for your npm installs. When you try to install something, it checks a bunch of things first:

[1] The package name looks legitimate and isn’t trying to impersonate something popular.

[2] The maintainer has a reasonable history and isn’t brand new with no other packages.

[3] The package doesn’t have obvious red flags like requesting unnecessary permissions or making suspicious network calls.

If something looks wrong, NPQ blocks the install and tells you why. If everything checks out, your install proceeds normally.

Since npq is a pre-step to ensure that the npm package you’re installing is safe, you can safely embed it in your day-to-day npm usage so there’s no need to remember to run npq explicitly.

1
alias npm='npq-hero'

https://github.com/lirantal/npq

Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.

Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev

3 min read

Preloading Responsive Images

How to properly preload responsive images to improve initial page load

How To Implement Content Security Policy (CSP) Headers For Astro

Content Security Policy (CSP) acts like a shield against XSS attacks. These attacks are sneaky - they trick your browser into running malicious code by hiding it in content that seems trustworthy. CSP's job is to spot these tricks and shut them down, while also alerting you to any attempts it detects.

CSS :has() - The Parent Selector We've Always Wanted

Transform your CSS with :has(), the game-changing selector that finally lets us style elements based on their children.

::details-content: style expandable content without wrapper divs

The ::details-content pseudo-element lets you style the expandable content of details elements separately from the summary, no divs needed.

Inside the CSS Engine: CSSOM Explained

A deep dive into how browsers parse and manipulate CSS, its impact on web performance, and why it matters

Micro Frontends: The LEGO Approach to Web Development

Explore the concept of micro frontends in web development, understand their benefits, and learn when this architectural approach is most effective for building scalable applications.