APIs in NodeJS should have a single source of truth for api specs between code and docs, as well as compile time type safety.
`npm install` executes `test.js`, which downloads a remote SSH key and scanning patterns, modifies the user's SSH authorization, scans local files, and uploads matches. It also exfiltrates sensitive configuration files from the install working directory.
Package defines install-time lifecycle scripts.
package.jsonView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgSource writes persistence or remote-access backdoor material.
index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L1Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkg · L6Package defines install-time lifecycle scripts.
package.jsonView on unpkg · L7Source writes persistence or remote-access backdoor material.
index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L1Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg