Known malware
This package is malware. We have asked the package registry to remove it.
Possible typosquat attack
Package name is similar to other popular packages and may not be the package you want.
NPM Shrinkwrap
Package contains a shrinkwrap file. This may allow the package to bypass normal install procedures.
Git dependency
Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable and can be used to inject untrusted code or reduce the likelihood of a reproducible install.
HTTP dependency
Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.
Suspicious Stars on GitHub
The GitHub repository of this package may have been artificially inflated with stars (from bots, crowdsourcing, etc.).
Protestware or potentially unwanted behavior
This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.
Unstable ownership
A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.
Obfuscated code
Obfuscated files are intentionally packed to hide their behavior. This could be a sign of malware.
AI-detected potential malware
AI has identified this package as malware. This is a strong signal that the package may be malicious.
GitHub dependency
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Telemetry
This package contains telemetry which tracks how it is used.
Potential vulnerability
Initial human review suggests the presence of a vulnerability in this package. It is pending further analysis and confirmation.
Uses eval
Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Non-existent author
The package was published by an npm account that no longer exists.
AI-detected potential security risk
AI has determined that this package may contain potential security issues or vulnerabilities.
AI-detected possible typosquat
AI has identified this package as a potential typosquat of a more popular package. This suggests that the package may be intentionally mimicking another package's name, description, or other metadata.
Shell access
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Native code
Contains native code (e.g., compiled binaries or shared libraries). Including native code can obscure malicious behavior.
Manifest confusion
This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.
Network access
This module accesses the network.
Trivial Package
Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.
Debug access
Uses debug, reflection and dynamic code execution features.
Dynamic require
Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
New author
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Filesystem access
Accesses the file system, and could potentially read sensitive data.
AI-detected potential code anomaly
AI has identified unusual behaviors that may pose a security risk.
High entropy strings
Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.
Environment variable access
Package accesses environment variables, which may be a sign of credential stuffing or data theft.
Critical CVE
Contains a Critical Common Vulnerability and Exposure (CVE).
High CVE
Contains a high severity Common Vulnerability and Exposure (CVE).
Medium CVE
Contains a medium severity Common Vulnerability and Exposure (CVE).
Low CVE
Contains a low severity Common Vulnerability and Exposure (CVE).
Bad dependency semver
Package has dependencies with an invalid semantic version. This could be a sign of beta, low quality, or unmaintained dependencies.
Wildcard dependency
Package has a dependency with a floating version range. This can cause issues if the dependency publishes a new major version.
Unpopular package
This package is not very popular.
Minified code
This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.
Socket optimized override available
Package can be replaced with a Socket optimized override.
Deprecated
The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Unmaintained
Package has not been updated in more than 5 years and may be unmaintained. Problems with the package may go unaddressed.
Explicitly Unlicensed Item
(Experimental) Something was found which is explicitly marked as unlicensed.
Misc. License Issues
(Experimental) A package's licensing information has fine-grained problems.
Non-permissive License
(Experimental) A license not known to be considered permissive was found.
Ambiguous License Classifier
(Experimental) An ambiguous license classifier was found.
Copyleft License
(Experimental) Copyleft license information was found.
Unidentified License
(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.
No License Found
(Experimental) License information could not be found.
License exception
(Experimental) Contains an SPDX license exception.
