| CM0001 | IP detection | Package contains suspicious IP addresses | Critical |
| CM0003 | Landing binary | Package is using living off the land binaries in a known malicious way | Critical |
| CM0007 | NPM hooks | Package executes shell commands in installation hooks | Critical |
| CM0011 | Hostname detection | Package contains suspicious hostnames | Critical |
| CM0014 | Masquerade | Package contains binaries masquerading as other file types | Critical |
| CM0024 | Remote executable | Package runs remote executable | Critical |
| CM0037 | Malware bazaar check | Package contains a file whose hash is in Malware Bazaar | Critical |
| CM0038 | Triaged malware (through threat feed) | Manually reviewed and confirmed to contain malware | Critical |
| CM0039 | Depends on malware | Package has dependency found in triaged malware table | Critical |
| CM0045 | npm security holding package | Package removed by npm as a security holding package | Critical |
| CM1002 | Malware (via OSSF MAL) | Determined to be malware by contributors to the OpenSSF malicious packages project | Critical |
| HM0002 | Eval blob | Package contains calls to eval with high-entropy arguments | High |
| HM0008 | Typosquatting | Package appears to be typosquatted | High |
| HM0015 | Encrypted binaries | Package contains encrypted binaries | High |
| HM0023 | Strange Python imports | Package imports things in a strange way | High |
| HM0025 | Environment variable enumeration | Package enumerates sensitive system environment variables | High |
| HM0029 | Obfuscated Python | Package contains obfuscated Python | High |
| HM0032 | Exec on remote URL | Package executes code from a remote URL | High |
| HM0033 | Sensitive data enumeration | Package enumerates, writes, and POSTs sensitive data locations | High |
| HM0036 | Webhook exfil | Package exfiltrates data through a webhook | High |
| HM0099 | Basic JavaScript obfuscation | Package contains obfuscated Javascript | High |
| MM0012 | Native code | Package contains calls used to load native code | Medium |
| MM0024 | Remote executable | Package references remote executable | Medium |
| IM0007 | NPM hooks | Package runs the software immediately after installation | Minimum |
| IM0006 | NPM hooks | Package uses install hooks to ask for donations | Minimum |
| IM0009 | Unicode detection | Package uses suspicious Unicode characters | Minimum |
| IM0013 | Dynamic code | Package contains calls used to run dynamic classes | Minimum |
| IM0017 | Compiled binaries | Package contains compiled binaries | Minimum |
| IM0019 | Eval function calls | Package contains files with eval calls | Minimum |
| IM0020 | Odd dependencies | Package contains non-standard dependencies | Minimum |
| IM0040 | Decodes hardcoded base64 strings | Package decodes hardcoded Base64 strings | Minimum |
| IM0041 | High entropy blobs | Package contains high entropy blobs | Minimum |
| IM0042 | Nuget install scripts | Package contains scripts that will run on install | Minimum |
| IM0043 | Cargo build file | Package contains build.rs file that will run on build and compile | Minimum |
| IM0044 | Rubygems install hooks | Package contains Ruby pre or post install hooks | Minimum |
| IM0047 | Python build hook | Package contains Python build hook files | Minimum |
| IM0051 | POST request behavior | Package contains code that performs a POST request | Minimum |
| .M0004 | Landing binary | Package uses suspicious executables | Situation-dependent severity |
| .M0018 | Dependency confusion | Package has unusual semver or not found in registry | Situation-dependent severity |
| .M0028 | Suspicious URL references | Package references sites uncommon to legitimate software | Situation-dependent severity |
| .M0031 | Suspicious Python setup commands | Package contains unusual commands in setup.py | Situation-dependent severity |
| .M0048 | Compiled Python files | Package contains compiled Python (.pyc) files | Situation-dependent severity |