View Other Properties


View Other Properties

How to List NPM Packages Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query NPM Packages across your fleet.


Javascript (often abbreviated as JS) is a popular programming language used for both web apps and on-device software (typically created via a JS runtime called Node.js). In order for some Javascript programs to work, they must import third party libraries which are obtained from package registries. Node Package Manager (or NPM) is a package manager for importing and managing the dependencies for various JS third-party libraries. In addition, NPM also refers to the registry in which packages can be obtained.

While NPM packages are typically installed locally on a per-project basis, you can also install system-wide (or global) packages that install command-line tools that are available in the default $PATH.

Kolide collects these globally installed NPM packages that are found in the following locations:

  • /usr/local/lib
  • /opt/homebrew/lib
  • /usr/lib
  • /home/%/.npm-global/lib
  • /Users/%/.npm-global/lib
  • C:\Users\%\AppData\Roaming\npm
  • Paths in [HU|HKLM]\SOFTWARE\Node.js\InstallPath

What NPM Package Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect NPM Packages from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

NPM Packages Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

author Text

NPM package author

directory Text

Directory where NPM packages are located

homepage Text

The author supplied homepage of the NPM package

license Text

The author supplied license of the NPM package

name Text

NPM package display name

npm_registry_downloads_report Jsonb

The raw JSON response from NPM Registry API regarding weekly downloads

npm_registry_keywords Text[]

Package author provided keywords registered in the NPM Registry

npm_registry_latest_version Text

The latest version available for this extension in the NPM Registry

npm_registry_maintainers Jsonb

Package author provided maintainers registered in the NPM Registry

npm_registry_release_tags Jsonb

The distribution tags for the package (often to define releases) registered in the NPM Registry

npm_registry_updated_at Timestamp

The freshness of the NPM Registry data associated with this package

npm_registry_version_released_at Timestamp

The time the latest version was released for this package in the NPM Registry

npm_registry_weekly_downloads_count Bigint

The total number of downloads from the NPM Registry over the last 7 days

path Text

Path at which the module in the NPM package resides

summary Text

NPM package-supplied description

version Text

The text representation of the version

version_major Bigint

version's semver major version (ex: 4.2.1 would yield 4)

version_minor Bigint

version's semver minor version (ex: 4.2.1 would yield 2)

version_patch Bigint

version's semver patch version (ex: 4.2.1 would yield 1)

version_subpatch Bigint

version's numeric status fourth position number (ex: would yield 6)

version_pre Text

version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

version_build Text

version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find NPM Packages with GPL Licenses
Kolide SQL
   "device_npm_packages".license ILIKE '%GPL%';
Example Results
name license homepage
node-forge (BSD-3-Clause OR GPL-2.0)
Find Out Of Date NPM Packages
Kolide SQL
  "device_npm_packages".version AS installed_version,
  "device_npm_packages".npm_registry_latest_version AS latest_version,
  "device_npm_packages".version != "device_npm_packages".npm_registry_latest_version;
Example Results
name homepage latest_version installed_version
npm 8.13.1 8.5.5
Find NPM Packages With Low Weekly Download Counts
Kolide SQL
  "device_npm_packages".version AS installed_version,
  "device_npm_packages".npm_registry_weekly_downloads_count AS weekly_downloads,
  "device_npm_packages".npm_registry_weekly_downloads_count < 1000;
Example Results
name homepage weekly_downloads installed_version
tldr 852 3.3.7
speed-test (NULL) 396 3.0.0

Why Should I Collect NPM Packages?

Since Node.js is a widely used avenue for installing software, there is the potential for malicious actors to try and use it to distribute malware. The primary way this is accomplished is through a supply chain attack.

In this attack, a bad actor obtains control of a popular package, pushes a new version that contains a malicious payload, and then distributes it via official channels. In this scenario, package managers will automatically download and execute the payload which compromises the device. Cataloging installed NPM Packages allows security and IT practitioners to understand the scope of potential compromise in these attacks.

Given the wide range of possible software that can be installed via node.js via NPM, it is important to regularly audit the list of installed packages on a machine. Here are some other use-cases where this may be valuable:

  • Discovering software dependencies that have undesirable licenses (like GPL)
  • Identifying packages that are out of date and may contain vulnerabilities
  • Reviewing installed packages to verify desired device configuration
  • Locating abandoned packages with low global (real-world) usage

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

NPM package installations may reveal a partial list of the applications installed on your device. This could include software used for personal reasons.

When you use Kolide to list NPM Package data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

Mac Homebrew Packages
software, packages, developers
Python Packages
developers, software, packages
Windows Chocolatey Packages
software, packages, developers
View full list of Kolide's Device Properties
Book A Demo
Book A Demo