Big update!Announcing Socket for GitHub 1.0. Learn more
Socket
BlogLoveFAQ
Install
Log in

Issues

Deprecated

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Empty package

Package does not contain any code. It may be removed, is name squatting, or the result of a faulty package publish.

Known Malware

This package is malware. We have asked npm to remove it.

Troll package

This package is a joke or parody. You should not use it in production.

Bidirectional unicode control characters

Source files contain bidirectional unicode control characters. This could indicate a Trojan source supply chain attack. See: trojansource.code for more information.

Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Bin script shell injection

This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack

Git dependency

Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

GitHub dependency

Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

HTTP dependency

Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.

Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Invisible chars

Source files contain invisible characters. This could indicate source obfuscation or a supply chain attack.

Obfuscated require

Package accesses dynamic properties of require and may be obfuscating code execution.

Potential typo squat

Package name is similar to other popular packages and may not be the package you want.

Suspicious strings

This package contains suspicious text patterns which are commonly associated with bad behavior

Telemetry

This package contains telemetry which tracks you.

Trivial Package

Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.

Unstable ownership

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Zero width unicode chars

Package files contain zero width unicode characters. This could indicate a supply chain attack.

Major refactor

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Network access

This module accesses the network.

New author

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

No repository

Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.

Semver anomaly

Package semver skipped several versions, this could indicate a dependency confusion attack or indicate the intention of disruptive breaking changes or major priority shifts for the project.

Shell access

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Uses eval

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Debug access

Uses debug, reflection and dynamic code execution features.

Dynamic require

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Environment variable access

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Filesystem access

Accesses the file system, and could potentially read sensitive data.

High entropy strings

Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.

Non-existent author

The package was published by an npm account that no longer exists.

Unused dependency

Package has unused dependencies. This package depends on code that it does not use. This can increase the attack surface for malware and slow down installation.

URL strings

Package contains fragments of external URLs or IP addresses, which may indicate that it covertly exfiltrates data.

Socket

Product

Subscribe to our newsletter

Get open source security insights delivered straight into your inbox. Be the first to learn about new features and product updates.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc