packguard
428 npm packages already leaked

Stop shipping
your AI assistant's
secrets.

A Lakera audit of 46,500 npm packages found 428 containing .claude/settings.local.json. 33 had live API keys. PackGuard intercepts the tarball before it ships.

$npx packguard scan
npm →demo →
terminal
$ npx packguard scan
────────────────────────────────────────────────────────
FILE STATUS REASON
────────────────────────────────────────────────────────
.claude/settings.local.json BLOCKED ai_artifact:.claude
.cursor/mcp.json BLOCKED ai_artifact:.cursor
dist/index.js.map WARNING source_map_with_sources
dist/index.js CLEAN
README.md CLEAN
────────────────────────────────────────────────────────
✗ Publish blocked. Fix the issues above.
428
npm packages with AI config files
33
of those had live credentials
512K
lines leaked by Anthropic on Mar 31

How it works

01

Install the hook

One command wires packguard into your prepublishOnly script. Runs automatically on every publish.

packguard install
02

npm publish fires

The hook opens the about-to-ship tarball and inspects every file before it leaves your machine.

npm publish
03

Block or pass

AI config artifacts, embedded source maps, and high-entropy secrets get caught. Everything else ships.

exit 1 # blocked

What gets blocked

Every major AI coding assistant writes state files you never explicitly created. These are exact-match signatures — no heuristics, no false positives.

On top of that: source maps with embedded source and high-entropy strings matching known secret formats (Anthropic, GitHub, AWS, OpenAI, Stripe).

.claude/settings.local.jsonClaude Code
.cursor/mcp.jsonCursor
.codex/config.jsonCodex
.windsurf/configWindsurf
.aider.chat.history.mdAider
dist/index.js.mapsource map

Try it now

Paste any file list and see exactly what packguard would block. Same logic as the CLI, running serverless.

# or run it directly on your package:

npx packguard scan

# wire it permanently:

npx packguard install

npx packguard scan

Why not use what you already have

gitleaks / trufflehogScans git history after the fact. No signatures for .claude/, .cursor/, or any other AI assistant artifact.
Socket.devEnterprise dependency graph analysis. Runs post-publish. Doesn't intercept at npm pack time.
SnykBroad SAST/SCA tool. Not tuned to AI config files. No prepublishOnly hook.
PackGuardRuns at prepublishOnly — the exact moment before the tarball ships. AI-artifact signatures built in. Free for solo OSS, no account needed.

Questions

Does this send my code anywhere?

No. The CLI runs entirely on your machine. Nothing leaves your system unless you opt into the Pro audit log, which only sends scan metadata — never file contents.

Which AI tools does it cover?

Claude Code (.claude/), Cursor (.cursor/), Codex (.codex/), Windsurf (.windsurf/), Copilot (.copilot/), and Aider (.aider/). New tools get added as they emerge.

Does it work with PyPI or cargo?

The CLI is designed for it. npm support ships in v1. PyPI and cargo hooks are planned next.

What's the false-positive rate?

AI artifact detection is exact-match against known paths — zero false positives there. The entropy scanner can flag base64 in legitimate config; add a .packguardignore to suppress specific files.

Start right now. Free.

No account, no install. One command checks your entire package tarball.

$npx packguard scan

Pro is in early access.

Org audit log, CI token, team controls — ₹799/mo when it ships. Leave your email and I'll reach out when it's ready.