import-guardian 🪝

Catch AI-hallucinated (slopsquatted) npm imports in generated code — before you run npm install.

An LLM just wrote some code. It might import a package that doesn't exist — a name the model confidently hallucinated. Attackers register exactly those names and ship malware. This is slopsquatting, and in 2026 it's one of the fastest-growing supply-chain attacks: code generators have been observed referencing 205,000+ unique non-existent package names, and real hallucinated packages (react-codeshift, a fake huggingface-cli with 30k+ downloads) have already shown up in the wild.

import-guardian reads the generated code, extracts every npm package it imports, and tells you which ones are real — so an agent never installs a name its own model invented.

It's part of the guardian set: npm-guardian audits a package you've already chosen for CVEs and malicious behaviour, license-guardian audits the licenses of your dependencies (GPL/AGPL/BUSL traps) before you ship, and lockfile-guardian audits the resolved package-lock.json for integrity tampering and risky install scripts. import-guardian works one step earlier than all of them, at the moment the code — and its dependency names — are generated.

What it catches

👻 Hallucinated	imports of packages that do not exist on npm — the model invented the name. Returns BLOCK with a "did you mean" to the closest real package.
🪤 Fresh squats	packages that do exist but were published days ago, have no source repo, near-zero downloads, or are a 1–2 edit typo of a popular library. Returns REVIEW.
🧩 Import-aware	resolves import x from "@scope/pkg/sub" → @scope/pkg, lodash/fp → lodash; skips Node built-ins (fs, node:path) and local paths. Plain regex, no AST, zero runtime deps beyond the MCP SDK.

Verdicts: 🟢 CLEAN · 🟠 REVIEW · 🔴 BLOCK.

Use it as an MCP server (free)

{
  "mcpServers": {
    "import-guardian": { "command": "npx", "args": ["-y", "import-guardian-mcp"] }
  }
}

Tools:

• scan_code_imports — give it a block of generated JS/TS; it extracts and checks every npm import. Run this on code you just generated, before its install command.
• check_packages — verify an explicit list of package names.
• verify_package — deep-check a single package name (existence, age, versions, repo, weekly downloads, edit distance to popular packages).

Example

scan_code_imports({ code: 'import shift from "react-codeshift";\nimport React from "react";' })

🟠 REVIEW — 1 referenced package(s) look risky.
🟠 react-codeshift  (risk 57/100)
    • No source repository linked.
    • Only 1 published version.
    • Only 3 downloads in the last week despite being 158 days old.
🟢 react  (ok) — established package.

Free HTTP API

POST /scan        { "code": "import x from 'reqeusts'\nimport y from 'lodash'" }
GET  /verify?name=express

Hosted at https://import-guardian.vercel.app · try /verify?name=express vs /verify?name=reqeusts.

Pay-per-call (x402)

The /pro/* routes are gated by x402. Your agent pays $0.02 USDC per call automatically — no sign-up, no API key. Payment settles on-chain (USDC on Base). The server holds no private key; it only declares a public receiving address.

POST /pro/scan    { "code": "…" }   # 402 → pay → result, no rate limit

How it works (and its limits)

• Existence + freshness come straight from the live npm registry (registry.npmjs.org) and the download-stats API — these are facts, not guesses, which is the moat: an agent can't reliably know on its own whether a name it generated is real and trusted.
• "Did you mean" uses Levenshtein distance against a curated list of high-impact packages attackers impersonate.
• It does not execute or install anything (read-only), and it intentionally errs toward REVIEW rather than silently passing a brand-new lookalike. It is a guardrail, not a guarantee — pair it with npm-guardian for behavioural/CVE auditing of packages you decide to keep.

License

MIT.