Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 3 instances in 3 packages

Network access

Supply chain risk

This module accesses the network.

Found 1 instance in 1 package

Unmaintained

Maintenance

Package has not been updated in more than 5 years and may be unmaintained. Problems with the package may go unaddressed.

Found 13 instances in 13 packages

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 2 instances in 2 packages

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 18 instances in 18 packages

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 8 instances in 8 packages

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 13 instances in 12 packages

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

AI-detected potential code anomaly

Supply chain risk

AI has identified unusual behaviors that may pose a security risk.

Found 1 instance in 1 package

Minified code

Quality

This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 3 instances in 3 packages