nproxy sits between your developers and npm. Every install passes through six security rules. Dangerous versions are silently resolved to the last safe release. Developers never notice.
$ npm install event-stream
resolving packages via acme.nproxy.app...
BLOCKED event-stream@3.3.6 — publisher_change, unexpected_deps
resolved to event-stream@3.3.4 (last safe version)
added 1 package in 1.2s
$
In 2024, over 20,000 malicious packages were published to npm.
6,500+
npm accounts compromised in 2024
11M
weekly downloads before event-stream backdoor was discovered
48 hrs
average time before malware is flagged on npm
Step 1
Configure your registry
Point your package manager at your nproxy endpoint. One line in .npmrc.
registry=https://acme.nproxy.app/
Step 2
Every install is analyzed
nproxy intercepts package metadata, applies six security rules, and strips blocked versions from the response.
Step 3
Developers never notice
Safe packages install normally. Dangerous ones silently resolve to the latest safe version. No friction, no alerts to ignore.
malware
blockBlocks packages flagged as known malware by Socket.dev and npm advisories.
Catches: Trojans, cryptominers, credential stealers
first_seen
blockBlocks versions published within the last 7 days, giving the community time to vet new releases.
Catches: Zero-day supply chain attacks, typosquats
unexpected_deps
warnWarns when a new version adds dependencies that were never part of the package before.
Catches: Dependency injection attacks (event-stream)
publisher_change
warnWarns when a package version is published by a different maintainer than previous versions.
Catches: Account takeovers, social engineering transfers
install_scripts
warnWarns when a package includes preinstall, postinstall, or other lifecycle scripts.
Catches: Arbitrary code execution during install
score
warnWarns when a package's overall Socket.dev risk score falls below the configured threshold.
Catches: Low-quality, abandoned, or suspicious packages
nproxy would have blocked every one.
event-stream (2018)
A trusted maintainer transferred ownership to a stranger who injected a crypto-stealing dependency. The backdoor lived in production for two months.
Rules: publisher_change, unexpected_deps · 11M weekly downloads at time of attack
ua-parser-js (2021)
Account takeover led to three malicious versions shipping a cryptominer and credential stealer to millions of installs.
Rules: malware, publisher_change · 8M weekly downloads at time of attack
colors.js (2022)
Maintainer protest pushed a version with infinite loops, breaking thousands of downstream projects including AWS CDK.
Rules: malware · 25M weekly downloads at time of attack
No agent to install. No binary to manage. Just change one registry URL and every developer on your team is protected.
Deploy at scale by pushing .npmrc and certificates via MDM. Developers don't have to do anything.
npm / pnpm (.npmrc)
registry=https://acme.nproxy.app/
yarn (.yarnrc.yml)
npmRegistryServer: "https://acme.nproxy.app/"
GitHub Actions
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: "https://acme.nproxy.app/"Everything your security team needs. Nothing your developers notice.
SCIM provisioning
Connect Okta or any SCIM 2.0 IdP. Users and API tokens are provisioned automatically. Offboarding means instant revocation.
mTLS device auth
Push client certificates via MDM. Every request is authenticated to a specific device and user. Bring your own CA.
Internal packages
Host private packages alongside public ones. Same registry, same .npmrc, same npm install. Stored in R2 with org-level isolation.
Per-user audit trail
Every install, every publish, every blocked package — traced to a specific user via their cert and token identity.
Deploy via MDM. Cert + token + .npmrc pushed to every machine. Developer does nothing.
Pro
$49/mo
Enterprise
Custom
Cross-org dependency trust graph. See which packages your industry peers trust. Shared signals across organizations make everyone safer.
Multi-registry support. PyPI, Maven, and Cargo are next. One proxy, every ecosystem.
We're building the layer between your code and the open source ecosystem.