Catch malicious npm packages before they land in your repo

AI agents happily run npm install on package names from tutorials. A hosted MCP tool can interrogate the live registry first — the same workflow that flagged a convincing fake Stripe SDK on the Zephex homepage.

The workflow

1. Connect Zephex via install or Cursor.
2. Before adding a dependency, ask: "Run check_package on package-nameand tell me if it is safe."
3. Review: weekly downloads, maintainer history, typosquat distance, postinstall scripts, known CVEs.
4. For major upgrades, follow with audit_package.

Why hosted MCP

Registry scans need fresh network data and maintained rules — not a one-off local script per developer. Zephex runs the check on every machine with the same logic.

check_package reference · All tools