Antivirus for JavaScript - Malware protection made simple!

Most JavaScript applications eventually need to handle files from the outside world—profile pictures, PDF invoices, CSV imports, support ticket attachments. The moment you open that door, you also invite risk. Malicious actors routinely disguise viruses, trojans, and ransomware inside ordinary-looking documents. Without an antivirus check at the point of entry, an infected upload can move laterally through your infrastructure, reach other users who download the file later, or trigger a compliance incident under GDPR, HIPAA, or SOC 2. The safest strategy is to treat every incoming file as untrusted and run a virus scan before your application touches it.

This guide walks you through adding malware protection to a JavaScript project with the attachmentAV API. Powered by the Sophos detection engine, the API works over HTTPS—no daemon to install, no signature database to maintain on your servers. You send a file (or a URL), and the API returns a verdict synchronously.

Install and configure the Virus and Malware Scan SDK

Start by pulling the SDK from npm. It ships with full type definitions, so it works equally well in plain JavaScript and TypeScript projects.

npm i @attachmentav/virus-scan-sdk-ts

You will need an API key to authenticate requests. Head to the subscription page and pick the tier that fits your volume—10 k, 50 k, or 100 k scans per month. The Setup Guide covers the onboarding steps.

With the key in hand, create a Configuration instance. Set accessToken to your key and point basePath at the region nearest to your users (the example below uses the Canada endpoint). Then instantiate the API client.

import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';

const config = new Configuration({
  accessToken: '<API_KEY_PLACEHOLDER>',
  basePath: 'https://canada.developer.attachmentav.com/v1'
});

const api = new AttachmentAVApi(config);

Scan file for virus and malware

The most common use case is checking a file that already lives on disk—for example, right after a user uploads it. Read the file into a Blob and pass it to scanSyncBinaryPost. The antivirus engine inspects the content and responds within seconds, so you can gate your upload pipeline on the result.

In the response object, look at status: it will be clean if no threat was found, infected if malware was detected, or no if the engine could not process the file. When the status is infected, the finding property tells you exactly what was flagged (e.g. “Troj/DocDl-AWZ”).

import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';
import { readFileSync } from 'node:fs';
import { Blob } from 'node:buffer';

const config = new Configuration({
  apiKey: '<API_KEY_PLACEHOLDER>'
});

const api = new AttachmentAVApi(config);

const scanResult = await api.scanSyncBinaryPost({
  body: new Blob([readFileSync('/path/to/file')])
});
console.log('Sync binary scan result:', scanResult);

Scan URL for virus and malware

Sometimes the file you need to verify is not on your server at all—it sits behind a public URL (a webhook payload link, a third-party export, a user-supplied download). Rather than fetching it yourself, you can hand the URL to attachmentAV and let the API pull the content for scanning. This keeps the untrusted bytes off your machine entirely.

Call scanSyncDownloadPost with a syncDownloadScanRequest containing the target URL. The virus scan runs server-side at attachmentAV, and the response follows the same status / finding format described above.

import { AttachmentAVApi, Configuration } from '@attachmentav/virus-scan-sdk-ts';

const config = new Configuration({
  apiKey: '<API_KEY_PLACEHOLDER>'
});

const api = new AttachmentAVApi(config);

const scanResult = await api.scanSyncDownloadPost({
  syncDownloadScanRequest: {
    downloadUrl: 'https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf'
  }
});
console.log('Sync download scan result:', scanResult);

Get started with antivirus for JavaScript

You now have two practical recipes—one for local files and one for remote URLs—that cover the majority of JavaScript virus scan use cases. Both rely on the same lightweight SDK, run against the Sophos-powered attachmentAV API, and return results fast enough to sit in the critical path of a file upload.

If your application handles user-generated content, integrating malware protection at this layer is one of the highest-value security improvements you can make. Create your attachmentAV subscription, grab an API key, and start rejecting infected files before they ever reach your storage.