Show HN: Quantum-audit – CLI to scan NPM deps for quantum-vulnerable crypto

Heavensinfinite1 pts0 comments

quantum-audit — Is your project quantum-safe?

v0.2.2 — now on npm

Is your project<br>quantum-safe?

Shor's algorithm breaks ECDSA, RSA, and secp256k1 completely. Scan your npm dependencies and source code for quantum-vulnerable cryptography in seconds.

$ npx quantum-audit .

Quantum Audit — my-dapp

────────────────────────────────────────

Score: 60/100

Grade: C — Moderate Exposure

Findings:

[CRITICAL] ECDSA (secp256k1) — package.json

[MEDIUM] SHA-256 — src/utils/hash.js:14

Critical findings rely on RSA/ECDSA, broken by Shor's algorithm.

npx quantum-audit .

View on GitHub

What it detects

Top blockchain packages — all flagged

Every major Ethereum and Bitcoin npm package relies on ECDSA/secp256k1. None have a post-quantum migration path documented.

CRITICAL<br>ethers<br>ECDSA (secp256k1) signing

CRITICAL<br>web3<br>ECDSA (secp256k1) signing

CRITICAL<br>elliptic<br>ECDSA (secp256k1 / p256)

CRITICAL<br>bitcoinjs-lib<br>ECDSA (secp256k1)

CRITICAL<br>node-rsa<br>RSA — broken by Shor's algorithm

MEDIUM<br>crypto-js<br>AES-128 / SHA-256 — weakened by Grover's

SAFE<br>@noble/post-quantum<br>Kyber / Dilithium / SPHINCS+

How it works

Two scanning layers

Catches vulnerable crypto at the dependency level and in your source code directly.

LAYER 01

Dependency scan

Maps your package.json against a curated database of 20+ crypto libraries and their underlying algorithms. Instant results, no source required.

LAYER 02

AST source scan

Walks your JS/TS source via Babel AST to catch direct node:crypto calls — createSign('RSA-SHA256'), generateKeyPairSync('ec') — that dependency scanning misses.

CI READY

Exit codes for pipelines

Exits non-zero on critical findings. Drop npx quantum-audit . into any CI pipeline to gate on quantum exposure automatically.

Scoring

0–100 quantum readiness score

Critical findings (broken by Shor's algorithm) are weighted heavily. Medium findings (weakened by Grover's) reduce the score proportionally.

90–100

Quantum Ready

70–89

Low Exposure

40–69

Moderate Exposure

15–39

High Exposure

0–14

Critical Exposure

Scan your project now

Takes 10 seconds. No account required.

npx quantum-audit .

Read the writeup

Copied!

quantum critical ecdsa audit secp256k1 exposure

Related Articles