Issue tags
Package Firewall uses issue tags to uniquely identify issues it detects when a package is scanned. These tags are included in the metadata when policies are created.
| Tag ID | Issue Name | Issue Description |
|---|---|---|
| CA0001 | Bad author | Author is known malicious |
| CM0001 | IP detection | Package contains suspicious IP addresses |
| CM0003 | Landing Binary | Package is using living off the land binaries in a known malicious way |
| .M0004 | Landing Binary | Package uses suspicious executables |
| IL0005 | License | Non-commercial use risk detected |
| IM0006 | NPM hooks | Package uses install hooks to ask for donations |
| CM0007 | NPM hooks | Package executes shell commands in installation hooks |
| IM0007 | NPM hooks | Package runs the software immediately after installation |
| HM0008 | Typosquatting | Package appears to be typosquatted |
| CM0011 | Hostname detection | Package contains suspicious hostnames |
| MM0012 | Native code | Package contains calls used to load native code |
| IM0013 | Dynamic code | Package contains calls used to run dynamic classes |
| ME0016 | Secrets | Secrets or tokens found in package not in test or example file |
| IE0016 | Secrets | Secrets or tokens found in package in test or example file |
| IM0017 | Compiled binaries | Package contains compiled binaries |
| HM0018 | Dependency confusion | Package has unusual semver or not found in registry |
| IL0022 | License Mismatch | Package has a license mismatch between metadata and files |
| HA0023 | Ephemeral author domain | A disposable domain was used by a maintainer |
| IE0023 | IP detection | This package may contain hardcoded IP addresses |
| HM0023 | Strange Python imports | Package imports things in a strange way |
| CM0024 | Remote executable | Package runs remote executable |
| MM0024 | Remote executable | Package references remote executable |
| HM0025 | Environment variable enumeration | Package enumerates sensitive system environment variables |
| IE0027 | Trivial package | Package may be too small to be worth the security risk |
| MM0028 | Suspicious URL references | Package references sites uncommon to legitimate software |
| HM0029 | Obfuscated Python | Package contains obfuscated Python |
| .M0031 | Suspicious python setup commands | Package contains unusual commands in setup.py |
| HM0032 | Exec on remote URL | Package executes code from a remote URL |
| HM0036 | Webhook exfil | Package exfiltrates data through a webhook |
| CM0037 | Malware bazaar check | Package contains a file whose hash is in Malware Bazaar |
| CM0038 | Triaged Malware (through threat feed) | Manually reviewed and confirmed to contain malware |
| CM0039 | Depends on malware | Package has dependency found in triaged malware table |
| IM0040 | Decodes hardcoded base64 strings | Package decodes hardcoded Base64 strings |
| IM0041 | High entropy blobs | Package contains high entropy blobs |
| IM0042 | Nuget install scripts | Package contains scripts that will run on install |
| IM0043 | Cargo build file | Package contains build.rs file that will run on build and compile |
| IM0044 | Rubygems install hooks | Package contains Ruby pre or post install hooks |
| CM0045 | npm security holding package | Package removed by npm as a security holding package |
| CE0046 | Deprecated package | Package has been deprecated |
| IM0047 | Python build hook | Package contains Python build hook files |
| IL0050 | License | License requires source code distribution |
| HM0099 | Basic JavaScript obfuscation | Package contains obfuscated Javascript |
| IE1001 | Unmaintained | Package has been marked as unmaintained by RustSec |
| CM1002 | Malware (via OSSF MAL) | Determined to be malware by contributors to the OpenSSF malicious packages project |