Audit your dependencies.

GoAudit checks whether a npm / pnpm / bun install or a curl | sh is malicious by sandboxing the execution.

go install github.com/KushalMeghani1644/GoAudit-CLI/cmd/goaudit@latest
$ goaudit scan "cat ~/.aws/credentials"
╭─────────────────────────────────────────────╮ │ GoAudit Report: cat ~/.aws/credentials │ ╰─────────────────────────────────────────────╯
🚨 Verdict: malicious (confidence: 95)
🛡️ Sandbox: gVisor (runsc)
🔴 Critical Findings
1. CREDENTIAL THEFT: /root/.aws/credentials
└─ Read sensitive files like SSH keys, AWS credentials, or .env secrets
📋 Summary: 1 critical, 0 warnings, 0 informational
DO NOT INSTALL this package.

$ goaudit scan-project .
╭─────────────────────────────────────────────╮ │ GoAudit Report: scan-project . │ ╰─────────────────────────────────────────────╯
⚠️ Verdict: suspicious (confidence: 45)
⚠️ Sandbox: runc (install gVisor for stronger isolation)
⚠️ Warnings
1. PACKAGE HAS LIFECYCLE SCRIPT
└─ The package defines a lifecycle script in its registry metadata
📋 Summary: 0 critical, 1 warnings, 0 informational
Use --ci for full JSON output.

What GoAudit catches

FIG 0.1

Catch malicious behavior

Detect unauthorized file access, memory injections, and backdoors by running executions in a secure decoy sandbox.

FIG 0.2

Full Project Scanning

Analyze JavaScript codebases, resolving lockfiles and verifying registry metadata to catch anomalies and risky lifecycle scripts.

FIG 0.3

Intelligent Filtering

Reduce noise with an advanced tracing engine that deduplicates redundant calls and suppresses expected sandbox behavior.

FIG 0.4

Catch Privilege Escalation

Identify attempts to elevate privileges, run setuid/setgid binaries, or modify critical system configurations during execution.