Shim Security

Make npm install safe by default

Intercept risky package installs before they reach your project. Shim sits in front of your package manager, extracts dependency metadata, sends it to a background daemon, and returns a clear allow, warn, or block verdict before the real install continues.

Install Shim CLI See what it catches

npm pnpm yarn

npm, pnpm, and yarn adapters

Current Downloads

Verdicts: allow · warn · block

Monitoring

Threat Monitor

Latest dependency activity across your workspace

Built-in scanners in the current daemon flow

Manager adapters wired today: npm, pnpm, yarn

Verdicts the policy engine can return: allow, warn, block

shim daemon — scan log

Architecture

A real install gate, not just another dashboard.

The current codebase already behaves like an install-time control point. It intercepts mutating commands, talks to a local daemon over IPC, runs multiple scanners, and returns findings with remediation details.

How it works

Readable remediation output

Warn or block policy engine — built for real workflows, not audit theatre.

Shim plus daemon architecture

A thin CLI shim forwards install decisions to a long-running daemon, keeping enforcement separate from package manager execution.

Intercepts mutating install and update commands before execution
Uses IPC between the shim and daemon to request scan verdicts
Forwards the real package manager command only after evaluation

Pluggable scanner pipeline

The daemon already combines several scanner engines so risk is based on more than a single package list or one keyword match.

Local flagged-package database with version-specific remediation
Lifecycle script inspection for preinstall, install, and postinstall behavior
Recent-release scanner that warns on versions published inside 48 hours

Policy and caching for real workflows

Findings flow into a simple policy engine, and approved exact versions can be cached so repeated installs stay cleaner.

High and critical findings block installs automatically
Medium and low findings surface as warnings with user confirmation
Approved package versions can be remembered in the local scan cache

Get the CLI

Drop Shim in front of your package manager and keep the normal workflow.

The repo already builds manager-specific shim binaries and a daemon. Place the shim earlier in your path, let it consult the daemon, then continue with the real tool if the verdict allows it.

bash

curl -fsSL
            https://github.com/shim-sec/shim/releases/download/latest/install.sh | bash

powershell

powershell -c "irm
            https://github.com/shim-sec/shim/releases/download/latest/install.ps1 | iex"

Adapters

Built to grow from install protection into a larger security layer.

The repo is already structured for more scanners, more package managers, and stronger policy logic, so the website can now speak about Shim as a real evolving system instead of a generic malware-checking concept.

npm

NPM Adapter

Parses mutating commands, resolves the real npm binary, and expands dependency metadata before scanning.

Install aware Dependency expansion

pnpm

PNPM Adapter

Supports the same interception model for pnpm commands while preserving the user-facing CLI workflow.

Mutating commands Shared scanner flow

yarn

Yarn Adapter

Handles add and install flows and falls back to npm metadata lookup when dependency resolution needs enrichment.

Adapter based Extensible design

Why teams switch

Back to top

Built to grow from install protection into a larger security layer.

"Drop Shim in front of your package manager and keep the normal workflow. The repo already builds manager-specific shim binaries and a daemon. The idea is simple: place the shim earlier in your path, let it consult the daemon, then continue with the real tool if the verdict allows it."

Shim Security — Package-manager interception, daemon-backed scanning, and policy verdicts for safer dependency installs.