Allow
No blocking evidence remains after static analysis, trusted-intel checks, and any required review.
This page is the public contract for npm package verdicts. It separates classic malware from broader product-security boundaries, including AI-agent control-surface abuse.
Verdicts describe the client-facing install action. They are not all claims of the same kind of malware intent.
No blocking evidence remains after static analysis, trusted-intel checks, and any required review.
The package has real risk or unresolved dangerous capability, but the evidence does not meet the default-block bar.
The package version is blocked by default because trusted intel or review evidence crosses a product security boundary.
The evidence is contradictory, incomplete, unavailable, or high-impact enough that the system should not finalize automatically.
A block requires trusted malicious identity or concrete behavior that crosses a high-impact security boundary.
Exact OSV/OpenSSF malicious package identities become product-default block records. If later evidence disagrees, the safer path is a disagreement review rather than automatic clearing.
Install or runtime code fetches JavaScript, shell commands, or process input from a remote endpoint and executes it without a package-aligned, user-controlled reason.
The package collects tokens, environment variables, local credentials, source, private data, or cloud metadata and sends it to an unauthorized destination.
The package creates hidden startup hooks, VCS hooks, long-lived background processes, destructive file operations, or other persistence outside normal package behavior.
Evidence shows a package identity, version, maintainer, or source bridge is being used to impersonate, replace, or hijack another package.
Npm lifecycle code silently drops, registers, or rewrites a broad or foreign AI-agent control surface. This block category does not require classic credential theft when the delivery is install-time and unconsented.
Warning keeps real risk visible without pretending every dangerous capability is author-intent malware.
A clearly agent-oriented package writes package-aligned skills, plugins, or handlers only inside its own platform namespace. Silent install-time setup is still risky, but it is warn-only unless stronger malicious behavior appears.
A legitimate package exposes dangerous functionality such as unauthenticated remote command execution, but the author intent does not appear malicious.
The package ships a suspicious encoded or high-entropy payload, but review does not find a loader or trigger path that executes it.
Similarity to known-malicious source creates deterministic friction and routes to source-aware review. Similarity alone is not direct block authority.
The package has powerful behavior that is visible, documented, package-aligned, guarded, or user-invoked, without covert triggers or unauthorized data access.
Agent-control files can grant tools, instructions, permissions, network access, or autonomous actions to an AI system. LPM treats install-time mutation of those surfaces as a separate product-security boundary.
Install-time code writes project/home/global Claude, Codex, Cursor, MCP, desktop-agent, or other agent-control files without explicit user action.
Lifecycle code registers remote MCPs, auto-@latest tools, long-poll listeners, permission-bypass launchers, or package-supplied instructions into another agent surface.
The package is clearly an agent platform or extension and lifecycle setup only writes package-aligned files inside its own application namespace.
Setup happens through a visible CLI command such as plugin install, mcp add, or a documented sync command, with no automatic lifecycle mutation.
The short version: foreign or broad unconsented lifecycle mutation blocks. First-party package-owned extension setup warns unless the source proves stronger malicious behavior.
These signals may route to AI or create a warning, but they do not automatically become product-default blocks.
The scanner should be fast, but the public decision has to preserve authority boundaries.
Static findings produce deterministic friction, warnings, and routing decisions. If a routed package needs review, static output does not get treated as source-aware proof by itself.
A later static clean does not clear an OSV/OpenSSF or AI-confirmed block. A real disagreement becomes review work, not an automatic allow.
Source fingerprints and known-malicious signatures help decide what to inspect next. They do not directly block new package identities without trusted identity or reviewed payload evidence.
LPM policy is operational, but these external sources inform the trust and consent boundaries used here.
Dependency lifecycle scripts move toward explicit approval instead of automatic execution.
Model Context Protocol specificationMCP identifies explicit user consent, data control, and tool safety as core trust principles.
MCP security best practicesLocal MCP configuration and privileged transports require consent, validation, and least privilege.
Claude Code permissionsAgent tooling should run under explicit permission modes, scoped rules, and user-controlled approvals.
OWASP LLM06: Excessive AgencyAgentic systems become risky when tools, permissions, or autonomy exceed the intended task boundary.