Detect malicious node js packages

kohldampfer · September 10, 2025, 10:25am

In the last days, there were in the news that some NodeJS / NPM packages were compromised (see here for more information: npm debug and chalk packages compromised )

Is it possible with SonarQube to find out if one of our projects is using a compromised version? What would I need for that?

bill.nottingham · September 10, 2025, 6:07pm

Thanks for the interest - ihis is not directly in the product at this time, but is on the roadmap.

Topic		Replies	Views
Evaluate the project package sources (such as NuGet/NPM) and analyse vulnerabilities New rules / language support sonarqube-cloud	0	459	February 28, 2019
How to get code coverage, vulnerabilities, bugs, code smells,debt etc for a specific project using Rest Api? SonarQube Server / Community Build sonarqube	0	739	February 21, 2019
About the Suggest new features category Suggest new features	1	1186	March 23, 2022
Create a custom rule for review dependecis versions SonarQube Cloud sonarqube , custom_rules	1	7	January 23, 2026
API call to return quality gate status for a given version Suggest new features sonarqube	0	375	February 25, 2019

Detect malicious node js packages

Related topics