package-verify-mcp
Verifies npm package names for existence, age, downloads, deprecation, and typosquatting against popular packages before installation.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@package-verify-mcpVerifyreact-hook-formsbefore installing."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
package-verify-mcp
Catch hallucinated and typosquatted npm packages before your coding agent installs them.
An MCP server that verifies an npm package name is real and safe before Claude, Cursor, or any agent runs npm install. AI agents routinely invent plausible-sounding package names ("slopsquatting"), and attackers pre-register those exact names with malware — one hallucinated package (react-codeshift) spread into 237 repos. This server is the guardrail.
Why this exists
An agent confidently writes import x from "some-plausible-pkg" and then installs it. If that name doesn't exist, best case you get an error; worst case a squatter is waiting there with a postinstall script. Checking is one registry call — this makes the agent do it every time.
Related MCP server: npmguard
Tools
Tool | What it does |
| Verdict for one name — SAFE / CAUTION / SUSPICIOUS / DOES_NOT_EXIST — from existence, first-publish age, weekly downloads, deprecation, and edit-distance to popular packages (typosquat detection). |
| Batch check — pass every dependency in a proposed change; flagged names sort to the top. |
Uses only the public npm registry + downloads API. No key.
What the verdicts mean
✅ SAFE — exists, established (age + downloads), not a near-miss of a popular name.
⚠️ CAUTION — exists but young, low-traffic, deprecated, or a similar-but-established name. Confirm intent.
🛑 SUSPICIOUS — one or two edits from a popular package and young/low-traffic: a classic typosquat. Don't install without confirming.
❌ DOES_NOT_EXIST — not on npm. Hallucination signature — do not install; suggestions for the likely intended name are included.
Quick start
npx package-verify-mcpClaude Code
claude mcp add package-verify -- npx -y package-verify-mcpClaude Desktop / Cursor / Windsurf / any MCP client
{
"mcpServers": {
"package-verify": {
"command": "npx",
"args": ["-y", "package-verify-mcp"]
}
}
}Pairs well with a rule like "Before adding any npm dependency, verify it with package-verify."
Example prompts
"Verify
react-hook-formsbefore you install it." (→ 🛑 typosquat ofreact-hook-form)"Check all the packages in this package.json diff with package-verify."
"Is
@types/node-fetcha real package?"
Config
Env var | Default | Purpose |
|
| Registry for existence/metadata. |
|
| Downloads API for weekly-download signal. |
How it works
package name
│
├─ registry GET ── exists? first-publish date, latest, deprecated, repo
├─ downloads API ── weekly downloads (traffic/trust signal)
└─ edit-distance vs bundled popular-package list ── typosquat detection
└─► SAFE / CAUTION / SUSPICIOUS / DOES_NOT_EXIST + reasons + suggestionsCaveats
This is a hallucination / typosquat tripwire, not a full security scanner — it won't analyze package contents (use Socket/npq for deep supply-chain analysis). It answers "is this name real and plausibly the one you meant."
The popular-package reference list is curated, not exhaustive; extend
src/popular.tsfor your stack.
Develop
npm install
npm run build
node dist/index.jsLicense
MIT © Anicodeth
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Anicodeth/package-verify-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server