Introducing Package Manager Guard (PMG)
Table of Contents
Let’s say you are building an Express.js application. You need a cookie parser middleware. But instead of installing the original cookie-parser package, you install express-cookie-parser which is a malicious package, although removed from the npm registry. We developers want to get the job done while in the flow state. We hate going outside our terminals and IDEs to check if a package we are installing is malicious or not. This behavior is exploited by malicious actors to compromise developers through typosquatting and other supply chain attacks. To protect the software supply chain, we need to protect developers from malicious packages at the time of installation. This is where Package Manager Guard (PMG) comes in.
What is PMG?
PMG is a tool to protect developers from malicious packages at the time of installation. It is a CLI tool that
wraps popular package managers like npm, pnpm, etc. It prevents installation of malicious packages by scanning
the package at the time of installation.
How do I use PMG?
The easiest way to install PMG is using homebrew. For other installation options, please refer to the
PMG GitHub repository.
brew install safedep/tap/pmgIn your NPM project, you can now install any package using pmg as a security guard.
pmg npm install reactThe goal of PMG is to be as hidden and out of the way as possible while protecting developers from installing malicious packages. For a seamless experience, add PMG as an alias for your package manager.
alias npm="pmg npm"alias pnpm="pmg pnpm"That’s it! PMG will now protect you from installing malicious packages.
Demo
Bugs and Feedback
If you find any bugs or have any feedback, please file an issue on the PMG GitHub repository. You can also join SafeDep Community Discord to discuss PMG and other SafeDep products.
- pmg
- malware
- security
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
@marketfront: 25 npm Packages Reuse a Known Lure
On July 1, 2026, npm user marketfront batch-published 25 packages carrying the same README lure SafeDep has tracked across four earlier accounts (mr.4nd3r50n, pik-libs, t-in-one, emcd-vue): "Internal...
Miasma Worm Infects Multiple LeoPlatform npm Packages
A Miasma worm variant compromised a single maintainer account and used it to publish infected versions of 20 LeoPlatform npm packages within a 3-second window. The worm also pushed weaponized GitHub...
The Polymarket Trap: A Fake Arbitrage Bot, Ten npm Accounts, and Four Ways to Deliver an Infostealer
A GitHub repository posing as a Polymarket arbitrage bot accumulated 53 forks before anyone flagged the malicious npm package buried in its dependencies. Behind that repo: ten coordinated npm...
The wshu.net npm Campaign Delivers a Multi-Stage Infostealer
One actor seeded 15 npm packages across 13 throwaway scopes in a single morning, each shipping a ~270KB obfuscated downloader behind a postinstall hook. The downloader pulls a Rust infostealer from...
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.