Instantly trace any npm package to its origin—across every repository, pull request, and contributor—with StepSecurity’s NPM Package Search.

StepSecurity

StepSecurity has launched npm Package Search, a tool that lets security teams trace any npm package back to the exact pull request where it was introduced across GitHub organizations. Unlike traditional SCA tools that show current dependency state, it provides full historical context: which PRs added a package, who introduced it, and when. This is designed to accelerate incident response during supply chain attacks — like the Shai-Hulud worm or the Nx build system compromise — by turning hours of manual repository auditing into seconds of targeted queries. Use cases include blast radius assessment, dependency auditing, and developer activity correlation during compromises.

Introducing npm Package Search: Find Where Any Package Was Introduced Across Your GitHub Organizations

How npm Package Search Differs from Traditional SCA Tools