StepSecurity has launched npm Package Search, a tool that lets security teams trace any npm package back to the exact pull request where it was introduced across GitHub organizations. Unlike traditional SCA tools that show current dependency state, it provides full historical context: which PRs added a package, who introduced it, and when. This is designed to accelerate incident response during supply chain attacks — like the Shai-Hulud worm or the Nx build system compromise — by turning hours of manual repository auditing into seconds of targeted queries. Use cases include blast radius assessment, dependency auditing, and developer activity correlation during compromises.
Table of contents
The npm Supply Chain Attack ProblemIntroducing npm Package SearchHow npm Package Search Differs from Traditional SCA ToolsHow npm Package Search WorksReal-World Use CasesGet StartedSort: