| Block |
 |
Network access: npm @emnapi/core in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: ? → npm/[email protected] → npm/@emnapi/[email protected]
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
|
Network access: npm @tybys/wasm-util in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: ? → npm/[email protected] → npm/@tybys/[email protected]
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@tybys/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
|
Network access: npm @unrs/resolver-binding-wasm32-wasi in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: ? → npm/[email protected] → npm/@unrs/[email protected]
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@unrs/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
|
Network access: npm napi-postinstall in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: ? → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
|
System shell access: npm unrs-resolver in module child_process
Module: child_process
Location: Package overview
From: ? → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is shell access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Install-time scripts: npm unrs-resolver during postinstall
Install script: postinstall
Source: napi-postinstall unrs-resolver 1.11.1 check
From: ? → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is an install script?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Potential code anomaly (AI signal): npm @ungap/structured-clone is 100.0% likely to have a medium risk anomaly
Notes: The code correctly reconstructs many built-in JS types and is functionally reasonable for trusted serialized inputs. However it performs dynamic constructor invocation using new envtype and env[name] for Error types without an allowlist or validation. If an attacker can control the serialized input, they can request instantiation of arbitrary global constructors (e.g., Function) or cause prototype pollution via crafted object keys, enabling code execution or other dangerous behavior. The module should only be used with trusted inputs or modified to restrict allowed constructor names and to guard against prototype pollution.
Confidence: 1.00
Severity: 0.60
From: ? → npm/[email protected] → npm/[email protected] → npm/@ungap/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@ungap/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Potential code anomaly (AI signal): npm @unrs/resolver-binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly
Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism.
Confidence: 1.00
Severity: 0.60
From: ? → npm/[email protected] → npm/@unrs/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@unrs/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Potential code anomaly (AI signal): npm jsdom is 100.0% likely to have a medium risk anomaly
Notes: The code fragment does not exhibit clear malicious behavior, but it has several anomalies, including typos and dynamic property manipulation using Reflect API, which could pose a security risk if not properly managed.
Confidence: 1.00
Severity: 0.60
From: packages/assets-controllers/package.json → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Potential code anomaly (AI signal): npm jsdom is 100.0% likely to have a medium risk anomaly
Notes: The code uses new Function() and createFunction() to dynamically create and execute code, which can be dangerous if not properly controlled. The use of with statements and dynamic function creation is similar to using eval(), which is generally discouraged due to security risks. If user input is passed into the event handler bodies, it could lead to cross-site scripting (XSS) vulnerabilities.
Confidence: 1.00
Severity: 0.60
From: packages/assets-controllers/package.json → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Potential code anomaly (AI signal): npm synckit is 100.0% likely to have a medium risk anomaly
Notes: The code is a sophisticated, legitimate utility for managing worker threads with various TypeScript runtimes and global shims. It does not exhibit explicit malicious behavior, hardcoded secrets, or standard malware patterns. The main security considerations relate to the safe handling of workerPath/globalShims inputs and ensuring that only trusted, validated worker code is executed in worker contexts. Overall risk is moderate due to the dynamic nature of code loading, but the fragment itself is a standard, non-malicious utility module.
Confidence: 1.00
Severity: 0.60
From: ? → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Potential code anomaly (AI signal): npm unrs-resolver is 100.0% likely to have a medium risk anomaly
Notes: This command itself is a legitimate-looking native postinstall invocation, but it runs an arbitrary executable (napi-postinstall) supplied by the package ecosystem. That executable could be benign (installing/validating native binaries) or malicious (downloading and executing arbitrary code, installing backdoors, modifying files). Inspect the source of the napi-postinstall binary (or the package that supplies it), its network activity, and any downloaded artifacts before trusting it.
Confidence: 1.00
Severity: 0.60
From: ? → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
MetaMask
+1
-3
+2
+1
+6![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}