# npm Package Search

{% hint style="warning" %}
**Available for Enterprise Tier Only**
{% endhint %}

npm Package Search lets you quickly identify where specific npm packages appear across your organization — from pull requests and repositories to developer machines. When a package is found to be compromised or vulnerable, you can use this feature to understand your blast radius and take targeted remediation steps.

You can search at the organization level or across your entire tenant, depending on your scope of access.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2Fn7qvv0nPcRuPpL0s76DT%2FScreenshot%202026-03-10%20at%2016.33.14.png?alt=media&#x26;token=9ee2a2d0-37b3-4d6b-8097-3d34f09dad43" alt=""><figcaption></figcaption></figure>

### Search Scope

npm Package Search covers two surfaces:

* **CI/CD and Repositories** — Identifies where a package was introduced across pull requests and default branches. Results link directly to the PR where the dependency was added, so you can revert or patch it quickly.
* **Developer Machines** — Identifies where a package is installed on developer endpoints, including packages installed by AI coding agents and tools. For each match, the search returns the exact file path and package manager used, which you can use to build an MDM or EDR remediation script and verify removal after cleanup.

### Supported Ecosystems and Files

npm Package Search inspects the following dependency and lock files across the npm, yarn, and pnpm ecosystems

#### Supported Files

| npm            | package.json      | Primary dependency definition file      |
| -------------- | ----------------- | --------------------------------------- |
| npm            | package-lock.json | Locked dependency tree generated by npm |
| yarn (Classic) | yarn.lock         | Locked dependency tree for Yarn v1      |
| yarn (Berry)   | package.json      | Dependency definitions for Yarn v2+     |
| pnpm           | pnpm-lock.yaml    | Locked dependency tree for pnpm         |
| pnpm           | package.json      |                                         |

### How to Use npm Package Search

**Step 1: Navigate to StepSecurity Dashboard ->** OSS Package Security → npm Package Search

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FkyJXiTwrWcuEiyl0GJPj%2Fascreenshot%20(1).jpeg?alt=media&#x26;token=f0b0a534-d756-421d-960a-ed66aee107c5" alt=""><figcaption></figcaption></figure>

**Step 2: Configure your search filters.**

* **Search Scope** — Choose Organization Search to search within your current organization, or Tenant Search to search across all organizations in your tenant.
* **Search Type** — Choose Custom Search to specify packages manually, or Compromised Packages Search to focus on known compromised or vulnerable packages.
* **Repository** — Optionally narrow results to a specific repository.
* **Seen In** — Filter by where the package was detected. Options include All (PRs, Default Branch & Dev Machines), or a specific surface.
* **Time Range** — Optionally select a date range to limit results.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FSTIeyzNUndBTbpKd8dO3%2Fascreenshot%20(2).jpeg?alt=media&#x26;token=570d5b63-d269-4630-b1cc-78eb1895d22f" alt=""><figcaption></figcaption></figure>

**Step 3: Add the packages you want to search for.**

Enter a package name and, if applicable, one or more specific versions. Click **Add Package** to add more packages to the same search. Results can be exported as CSV.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FHrOpfsNaVQuGt3RKHvvK%2Fascreenshot%20(3).jpeg?alt=media&#x26;token=560a63dd-a878-49c8-a88f-608568c143a1" alt=""><figcaption></figcaption></figure>

**Step 4: Run the search and review results.**

Matching results show the default branches, PRs and developer machines where the package was found. Click any result to view details — for CI/CD results this links to the corresponding pull request; for developer machine results this shows the install path and package manager.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FWB2oBuQncAJE8D0YhPc1%2Fascreenshot%20(4).jpeg?alt=media&#x26;token=57c0ec17-8cee-445c-9109-e9149ac0fa6f" alt=""><figcaption></figcaption></figure>

**Step 5: Remediate**

* For CI/CD findings, revert the affected PR or patch the dependency directly.
* For developer machine findings, use the file path information to build a removal script via your MDM or EDR tooling. After running the script, rescan the device to confirm the package is no longer present.

<figure><img src="https://754495266-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQJRZY4cfEeY3I7DXTOCp%2Fuploads%2FtTlGErE1Dd80etb3yKAa%2Fascreenshot%20(5).jpeg?alt=media&#x26;token=90fd282b-06ce-4856-8ef4-8a8a4a3df54e" alt=""><figcaption></figcaption></figure>

**Follow this interactive demo to see how this works:**

{% embed url="<https://app.storylane.io/share/ikokjxskmmum>" %}

{% hint style="info" %}
For a complete guide to preventing, detecting, and responding to npm attacks, see [NPM Supply Chain Security](https://app.gitbook.com/o/Hhu8NwchzrRxmxplqEVj/s/nWcOGIMQQsclkjX6nz4Z/)
{% endhint %}