PackGuard

About

PackGuard integrates with prepublishOnly to inspect npm packages before they are published. It scans tarballs and prevents the inclusion of AI assistant dotfiles, exposed live keys, source maps containing embedded source, and high-entropy secrets. The tool will halt publication until all issues are resolved. It is offered free of charge for individual open-source developers. Currently, 428 npm packages have been found to contain AI assistant dotfiles, with 33 exposing live keys.