Teams accidentally ship source maps, internal code, API keys, and debug files in their NPM packages — sometimes leaking proprietary source code to the public registry.
A pre-publish hook and CI integration that analyzes your package tarball against a ruleset: detects .map files, embedded secrets, internal file paths, debug configs, and over-broad file inclusions. Blocks publish and alerts the team.
Freemium — free for open-source/individual use, paid tiers for team dashboards, policy enforcement, and Slack/PagerDuty alerts
The pain is real but infrequent — most teams don't know they've leaked until it's public and embarrassing. The Claude Code incident is a high-profile proof point, and the Reddit engagement (1,452 upvotes, 216 comments) shows developer awareness. However, this is a 'prevention' sell — teams don't feel the pain daily until the incident happens. Pain spikes to 10/10 post-incident but sits at 3/10 for teams who haven't been burned yet.
The total addressable market is narrow. Only teams that PUBLISH npm packages (not just consume them) are buyers. Estimated ~50,000-100,000 organizations actively publish to npm. At $50/month average, TAM is ~$30-60M/year. This is a solid niche but not a venture-scale market on its own. Could expand to PyPI, RubyGems, Maven, Docker Hub to 3-5x the market. As a standalone npm-only tool, this is a lifestyle business or acquisition target, not a unicorn.
Security tools have proven WTP in enterprise, but this is a narrow, preventive tool. Free alternatives (npm pack --dry-run, manual .npmignore review) exist even if they're inadequate. Many teams will just add a .npmignore and call it done after an incident. The paid tier needs to offer enough beyond what a well-configured .npmignore provides — team dashboards, policy enforcement, and Slack/PagerDuty alerts add value but may not justify $50+/seat/month for smaller teams. Enterprise security compliance requirements could drive larger deals.
Highly feasible for a solo dev MVP in 4-8 weeks. Core logic: run npm pack, extract tarball, scan contents against rules (regex for secrets, glob patterns for .map files, heuristics for internal paths/debug artifacts). npm-packlist provides the file list programmatically. Pre-publish hook is a well-documented npm lifecycle event. CI integration is straightforward (GitHub Action, GitLab CI template). No ML needed — rule-based scanning with configurable policies. The hardest part is reducing false positives on secret detection, but you can leverage existing regex patterns from GitGuardian/TruffleHog.
This is the strongest signal. NO existing tool specifically scans npm tarballs for the full spectrum of accidental leaks as a pre-publish gate. GitGuardian/TruffleHog only catch secrets (not source maps, paths, debug artifacts) and aren't npm-tarball-aware. Socket/Snyk scan inbound dependencies, not outbound publishes. publint checks structure, not security. The gap is wide, proven by a high-profile incident, and complementary to every existing tool in the space.
CI/CD integration creates natural recurring usage — runs on every publish attempt. Team dashboards, audit logs, and policy enforcement justify subscription. However, churn risk is real: once a team configures their .npmignore properly, the tool may feel like insurance they can cancel. Need to continuously add value via updated rulesets, new leak pattern detection, compliance reporting, and multi-registry support to maintain stickiness.
- +Perfect origin story — Claude Code incident is a high-profile, memorable proof point that every JS developer knows about
- +Zero direct competition — no existing tool covers outbound npm tarball scanning for the full leak spectrum
- +Technically simple MVP — rule-based scanning on npm pack output, achievable by a solo dev in 4-6 weeks
- +Complementary to existing security stack — not competing with Snyk/Socket/GitGuardian, fills their gap
- +Natural CI/CD integration creates sticky, recurring usage pattern
- +Open-source core strategy can drive adoption quickly in the npm community
- !Narrow market — only npm package publishers, not all npm users. TAM ceiling without multi-registry expansion
- !npm could build this in — a native npm publish --scan flag would kill the standalone market overnight
- !Prevention tools are hard to sell — teams don't feel the pain until after an incident, then they just fix .npmignore
- !Low switching cost — a well-maintained .npmignore + a simple shell script checking npm pack output covers 70% of the value
- !Secret detection is commoditizing — GitGuardian or TruffleHog could trivially add an npm tarball scanning mode
- !Risk of being a feature, not a product — could be absorbed by Socket.dev, Snyk, or GitHub as a minor feature addition
Real-time secret detection platform that scans Git repositories and CI/CD pipelines for leaked credentials using 400+ detectors. Offers pre-commit hooks and public GitHub monitoring.
Open-source secret scanner that searches Git history, filesystems, S3 buckets, and other sources for credentials. Uniquely verifies found secrets are actually live by testing them against APIs.
Supply chain security platform that proactively detects malicious behavior in npm/PyPI/Go dependencies through behavioral analysis — detecting network access, obfuscated code, typosquatting in packages you consume.
Developer security platform covering SCA
publint validates package.json correctness
CLI tool + GitHub Action. Core: runs `npm pack`, extracts tarball, scans against built-in rules (source maps, common secret patterns, .env files, internal path heuristics, debug configs like .vscode/, .idea/). Outputs a clear pass/fail report with specific file-level findings. Ships as both an npm pre-publish hook (`npm pkg set scripts.prepublishOnly='npx leak-scan'`) and a GitHub Action. Open-source core with a managed cloud dashboard as the paid upgrade. Launch with a blog post referencing the Claude Code incident.
Free OSS CLI (adoption driver) → Free GitHub Action with 50 scans/month → Pro at $19/month for unlimited scans + custom rules + Slack alerts → Team at $49/seat/month for org-wide policy enforcement, audit logs, dashboard, and PagerDuty integration → Enterprise at custom pricing for SSO, RBAC, compliance reporting, and multi-registry (PyPI, Maven, RubyGems) support
6-10 weeks to first dollar. Weeks 1-4: build CLI + GitHub Action, open-source it. Weeks 4-6: write launch blog post, post to Hacker News/Reddit referencing Claude Code incident, seed in npm community Discords. Weeks 6-8: launch free tier with usage limits. Weeks 8-10: introduce Pro tier for teams hitting limits. First paying customers likely from teams who recently had a leak incident and are searching for solutions.
- “Claude Code's source leaked via a map file in their NPM registry”
- “What a week it's been. First Axios library vulnerability report and now this”