| Critical | Possible typosquat attack | Package name is similar to other popular packages and may not be the package you want. |
| Critical | Known malware | This package version is identified as malware. It has been flagged either by Socket's AI scanner and confirmed by our threat research team, or is listed as malicious in security databases and other sources. |
| High | AI detected potential malware | AI has identified this package as malware. This is a strong signal that the package may be malicious. |
| High | GitHub dependency | Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install. |
| High | Git dependency | Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install. |
| High | AI detected security risk | AI has determined that this package may contain potential security issues or vulnerabilities. |
| High | Install scripts | Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts. |
| High | Non-existent author | The package was published by an npm account that no longer exists. |
| High | Obfuscated code | Obfuscated files are intentionally packed to hide their behavior. This could be a sign of malware |
| High | NPM Shrinkwrap | Package contains a shrinkwrap file. This may allow the package to bypass normal install procedures. |
| High | Telemetry | This package contains telemetry which tracks how it is used. |
| High | Protestware or potentially unwanted behavior | This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function. |
| High | Unstable ownership | A new collaborator has begun publishing package versions. Package stability and security risk may be elevated. |
| High | HTTP dependency | Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability. |
| Medium | Potential vulnerability | Initial human review suggests the presence of a vulnerability in this package. It is pending further analysis and confirmation. |
| Medium | AI detected anomaly | AI has identified unusual behaviors that may pose a security risk. |
| Medium | Native code | Contains native code (e.g., compiled binaries or shared libraries). Including native code can obscure malicious behavior. |
| Medium | Manifest confusion | This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package. |
| Medium | Network access | This module accesses the network. |
| Medium | New author | A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package. |
| Medium | Recently published | Package version was published within the org's cool-down window. New releases concentrate the highest supply chain risk and warrant time for community vetting before they are pulled in. |
| Medium | Shell access | This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code. |
| Medium | Trivial Package | Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency. |
| Medium | Uses eval | Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior. |
| Low | Chronological version anomaly | Semantic versions published out of chronological order. |
| Low | Debug access | Uses debug, reflection and dynamic code execution features. |
| Low | Dynamic require | Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution. |
| Low | Environment variable access | Package accesses environment variables, which may be a sign of credential stuffing or data theft. |
| Low | Filesystem access | Accesses the file system, and could potentially read sensitive data. |
| Low | High entropy strings | Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code. |
