Supply Chain Risk
Severity | Alert Type | Description |
---|---|---|
Critical | Possible typosquat attack | Package name is similar to other popular packages and may not be the package you want. |
Critical | Known malware | This package is malware. We have asked the package registry to remove it. |
High | AI detected potential malware | AI has identified this package as malware. This is a strong signal that the package may be malicious. |
High | GitHub dependency | Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install. |
High | Git dependency | Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install. |
High | AI detected security risk | AI has determined that this package may contain potential security issues or vulnerabilities. |
High | Install scripts | Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts. |
High | Non-existent author | The package was published by an npm account that no longer exists. |
High | Obfuscated code | Obfuscated files are intentionally packed to hide their behavior. This could be a sign of malware |
High | NPM Shrinkwrap | Package contains a shrinkwrap file. This may allow the package to bypass normal install procedures. |
High | Telemetry | This package contains telemetry which tracks how it is used. |
High | Protestware or potentially unwanted behavior | This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function. |
High | Unstable ownership | A new collaborator has begun publishing package versions. Package stability and security risk may be elevated. |
High | HTTP dependency | Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability. |
Medium | Potential vulnerability | Initial human review suggests the presence of a vulnerability in this package. It is pending further analysis and confirmation. |
Medium | AI detected anomaly | AI has identified unusual behaviors that may pose a security risk. |
Medium | Native code | Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs. |
Medium | Manifest confusion | This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package. |
Medium | Network access | This module accesses the network. |
Medium | New author | A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package. |
Medium | Shell access | This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code. |
Medium | Trivial Package | Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency. |
Medium | Uses eval | Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior. |
Low | Chronological version anomaly | Semantic versions published out of chronological order. |
Low | Debug access | Uses debug, reflection and dynamic code execution features. |
Low | Dynamic require | Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution. |
Low | Environment variable access | Package accesses environment variables, which may be a sign of credential stuffing or data theft. |
Low | Filesystem access | Accesses the file system, and could potentially read sensitive data. |
Low | High entropy strings | Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code. |
Updated 4 months ago