No threats detected
All checks passed. This site appears legitimate — but always stay alert for phishing even on trusted domains.
Is npmjs.org legit or a scam?
This looks safe to use.
Official npm registry domain (16.3 years old) with clean security scans, though phishing emails spoof its support address.
Analysis Summary
Website Preview

Automated page render — captured in a safe sandbox. What an ordinary visitor would see when loading the site.
Intelligence
The domain has been registered since March 2010 and belongs to npm, Inc., now owned by GitHub. Our antivirus network returned zero detections and the hosting IP shows minimal abuse history. The page serves as the core JavaScript package registry used by millions of developers worldwide. Two news articles describe phishing emails that spoof support@npmjs.org, but these target the address rather than compromising the domain itself. Business records confirm the company is active in the United States. The combination of long history, clean technical signals, and confirmed ownership outweighs the spoofing incidents.
Web Research Findings
Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for npmjs.org, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.
- Official domain for the npm (Node Package Manager) registry, the world's largest software registry.
- Owned and operated by npm, Inc., which is a subsidiary of GitHub (Microsoft).
- The domain is frequently spoofed in phishing attacks (e.g., support@npmjs.org) to target package maintainers.
- While the domain is legitimate, the registry itself is unvetted, meaning individual packages hosted there may contain malware.
- Registered since March 2010 and serves as a core infrastructure component for the JavaScript ecosystem.
- gbhackers.comopen
"An developer recently came across a highly advanced phishing email that spoofs the support@npmjs.org address in order to impersonate npm, the Node.js package registry."
- cyberpress.orgopen
"One engineer reported a convincing phishing email spoofing the official npm support address (support@npmjs.org) and attempting to lure recipients to a deceptive site using a subtle domain switch."
npm, Inc. was founded in 2014 and acquired by GitHub (a Microsoft subsidiary) in 2020.
Two security news outlets documented phishing campaigns that spoof support@npmjs.org addresses to target Node.js developers. These attacks use the legitimate-looking sender address but direct victims to separate deceptive domains. Two independent sources affirm that registry.npmjs.org and npmjs.org are the official domains operated by npm, Inc. an independent review aggregator shows a modest number of reviews with a 4/5 average score.
Domain Timeline
- Mar 19, 2010Domain registered
First appeared in WHOIS records — 16 years old today.
- Jul 14, 2026Latest security review — Reviewed as safe
This scan re-ran every check and found no active threat signals.
npmjs.org has operated for years with no threat signals in this review — a long, stable track record, though it is never a guarantee on its own.
Threat Detection
Antivirus Engines
Security Scans
Checked against the major public blocklists used by browsers and security tools — no hits.
Reputation Sources
How this domain rates across independent threat-intelligence and blocklist providers.
Technical Details
domain · encryption · redirects · server reputation · referencedThe plumbing behind the site — who registered it, how it’s encrypted, where it’s hosted, and where it links out. A valid certificate or a calm server doesn’t mean the business is honest — scam sites pass these checks too. Use this to corroborate the verdict, not to overturn it.
Domain & Encryption
Redirect Chain
- 1301http://npmjs.org/
- 2403https://www.npmjs.com/cross-domain
Server Reputation
What to do
Still, stay alert
No major threat indicators — but a clean scan does not guarantee every page is safe, and phishing emails routinely spoof real domains.
- Double-check the exact URL in your address bar
Confirm you are actually on npmjs.org and not a lookalike like n-pmjs.org.com or an IDN homoglyph.
- Use a password manager
Password managers only auto-fill on the exact domain they were saved for — they refuse to fill lookalike domains, which is the single best phishing defence.
- OpenDiscuss this site on the forum
If you have first-hand experience with this site — good or bad — share it with the MalwareTips community.
Final Verdict
npmjs.org is the official domain for the npm package registry operated by npm, Inc., a GitHub subsidiary. The domain is 16.3 years old with clean scans across our malware engines and browser blocklists. Users should still verify package contents before installing, as the registry itself does not vet every upload.
Safety FAQ
Common questions, answered directly from the scan data above — so the answers always reflect the latest verdict on this page.
- Our automated security review found no threat indicators on npmjs.org, so it appears legitimate. All 92 antivirus engines we queried report it clean, it ranks among the world's most-visited sites, and the domain is 16.3 years old, registered on March 19, 2010 — established domains are far less likely to be scams. Even so, always double-check the exact address in your browser, because phishing emails routinely spoof real, trusted domains like this one.
- npmjs.org passed our automated checks with a trust score of 95/100. No antivirus engines or major blacklists flagged it at the time of the last scan, and its signals line up with an established, legitimate site. Treat any unexpected login prompt or payment request on it with the same caution you would anywhere.
- Yes — and this is worth understanding. Even trustworthy domains get spoofed in phishing emails (a fake message that only looks like it's from npmjs.org), and legitimate sites are occasionally compromised on specific pages. A clean verdict means the site itself checks out today; it does not mean every email or link claiming to be from npmjs.org is genuine. Always reach the site by typing the address yourself rather than clicking links in unexpected messages.
- No — all 92 antivirus and blocklist engines in our malware network currently report npmjs.org as clean. That's a good sign, though antivirus coverage is only one of the many signals we weigh, and brand-new scam sites can appear clean before vendors catch up.
- No — npmjs.org is not currently on the major browser blocklist feeds that Chrome, Safari, Firefox, and Edge rely on. Note that blocklists can lag behind brand-new scam domains, so "not listed" is reassuring but not a guarantee on its own.
- npmjs.org is 16.3 years old, registered on March 19, 2010 through MarkMonitor Inc.. A multi-year registration history is one of the stronger signals against a scam, though it's never a guarantee on its own — established domains can still be misused.
- Yes — npmjs.org presents a valid TLSv1.2 certificate issued by Google Trust Services · WE1, valid for another 71 days. Important caveat: SSL only encrypts the connection between you and the site — it does not verify who runs it. Almost all scam sites now have valid SSL too, so a padlock alone never means "safe".
- npmjs.org resolves to an IP operated by Cloudflare, Inc. in US (Content Delivery Network). Hosting location alone doesn't make a site good or bad — but hosting that doesn't match a brand's claimed country, or that sits on networks known for abuse, is one of the many signals we weigh alongside the verdict above.
- Yes — npmjs.org ranks in the global top 100,000 most-visited sites, which means it has substantial real-world traffic. Genuine popularity doesn't automatically make a site safe, but throwaway scam domains almost never reach this level of traffic, so it's a meaningful point in the site's favour.
- This report is a record of the scan run on July 14, 2026, and the verdict reflects that point in time. Scam sites change fast — they can go live, get flagged, or vanish within days — so if you believe something about npmjs.org has changed, MalwareTips staff can run a fresh scan that re-checks every signal from scratch and republishes an updated verdict.
User reviews & comments(0)
Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.