Supply Chain Risk

SeverityAlert TypeDescription
CriticalPossible typosquat attackPackage name is similar to other popular packages and may not be the package you want.
CriticalKnown malwareThis package is malware. We have asked the package registry to remove it.
HighAI detected potential malwareAI has identified this package as malware. This is a strong signal that the package may be malicious.
HighGitHub dependencyContains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
HighGit dependencyContains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
HighAI detected security riskAI has determined that this package may contain potential security issues or vulnerabilities.
HighInstall scriptsInstall scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
HighNon-existent authorThe package was published by an npm account that no longer exists.
HighObfuscated codeObfuscated files are intentionally packed to hide their behavior. This could be a sign of malware
HighNPM ShrinkwrapPackage contains a shrinkwrap file. This may allow the package to bypass normal install procedures.
HighTelemetryThis package contains telemetry which tracks how it is used.
HighProtestware or potentially unwanted behaviorThis package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.
HighUnstable ownershipA new collaborator has begun publishing package versions. Package stability and security risk may be elevated.
HighHTTP dependencyContains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.
MediumPotential vulnerabilityInitial human review suggests the presence of a vulnerability in this package. It is pending further analysis and confirmation.
MediumAI detected anomalyAI has identified unusual behaviors that may pose a security risk.
MediumNative codeContains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
MediumManifest confusionThis package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.
MediumNetwork accessThis module accesses the network.
MediumNew authorA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
MediumShell accessThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
MediumTrivial PackagePackages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.
MediumUses evalPackage uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
LowChronological version anomalySemantic versions published out of chronological order.
LowDebug accessUses debug, reflection and dynamic code execution features.
LowDynamic requireDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
LowEnvironment variable accessPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
LowFilesystem accessAccesses the file system, and could potentially read sensitive data.
LowHigh entropy stringsContains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.