//

Every npm package.
Scanned. Verified. Secured.

ZapaGuard intercepts your npm installs at the edge, strips auth tokens before they ever touch a log, scans package tarballs with ClamAV today, and is adding OSV and Trivy checks next.

# point your npm registry at ZapaGuard
npmnpm config set registry https://get.zapaguard.com/npm/
pnpmpnpm config set registry https://get.zapaguard.com/npm/

// how_it_works_

01

Intercept

Your npm-compatible client hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.

02

Verify

D1 is queried for a scan verdict. Clean package? The edge immediately sends the npm client to the trusted tarball path.

03

Scan

Unknown package versions are queued for local scanning. ClamAV runs now; OSV and Trivy workers are being added to expand the verdict.

04

Deliver

Green npm packages are served. Red packages are blocked. Every decision is logged with a full audit trail in D1.

// features_

Zero-Knowledge Token Strip

Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.

Cloudflare Edge

Runs entirely on Cloudflare Workers, D1, R2, and Queues. No servers to manage, globally distributed by default.

Local Scanner Pipeline

Package tarballs are scanned on private infrastructure, with ClamAV active and OSV plus Trivy workers in progress.

Scoped Package Support

Full support for scoped packages like @babel/core with correct %2f URL encoding preserved end-to-end.

Verdict-First Delivery

Verified packages are released quickly from the edge path. Pending scans return retryable responses until the verdict is ready.

Open Source

Don't trust my private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.

OSV Database Matching

OSV advisory matching is being wired as a decoupled worker backed by a local npm vulnerability index.

Trivy Worker In Progress

Trivy support is being added for deeper package analysis alongside ClamAV and OSV-backed checks.

ClamAV Malware Engine

Every npm package tarball is run through ClamAV's signature engine to catch trojans, backdoors, and embedded malware before they reach your build.

Ready to secure your npm supply chain?

Open source, self-hostable, and built for teams that take npm package security seriously.