I built an npm malware scanner in Rust because npm audit isn't enough

Last week I ran npm install on a new project. 847 packages downloaded in twelve seconds. And I thought: what if one of those just stole my AWS keys? Not a crazy thought. It happened before. In 2018, event-stream got a new maintainer who slipped in code that stole cryptocurrency wallets. Two million weekly downloads. In 2021, ua-parser-js was hijacked to install cryptominers. In 2022, the author of colors.js broke it on purpose, taking down thousands of projects overnight. All of them passed npm audit with zero warnings. npm audit only catches what someone already reported npm audit checks a database of known vulnerabilities. If nobody filed a report yet, it stays silent. That gap between "malicious code gets published" and "someone notices" can be days or weeks. By then, you already have it in your node_modules. Snyk and Socket are better at this, but they're SaaS. You need an account, sometimes a paid plan, and your code goes to their servers for analysis. I wanted something different