Install script: postinstall

Source: node ./bin/post-install || exit 0

From: package-lock.json → npm/[email protected] → npm/[email protected]

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: This es-module-lexer component appears legitimate in its intended role but contains a significant risk surface: (a) an eval-based sink that can execute code derived from untrusted module input, and (b) an embedded wasm blob loaded at runtime that could be manipulated via supply chain compromise. The combination means using this parser with untrusted code or in an unsafe host environment could enable arbitrary code execution or behavior modification. The code shows no obvious exfiltration or persistence mechanisms, but the eval path is unacceptable in many security models and requires strict sandboxing or replacement with safer parsing patterns. Recommend using only trusted inputs, hardening the eval path (remove or heavily restrict), and validating the wasm blob integrity via checksums/signatures in the build/publish process.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/[email protected] → npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: This file itself does not contain direct malicious payloads (no eval, no hardcoded secrets, no obfuscation). However it intentionally downloads and executes an external package (nx-mcp@latest) via the package manager's dlx mechanism and forwards user input as arguments. That design presents a clear supply-chain risk: a malicious or compromised 'nx-mcp' package (or tampered registry response) could execute arbitrary code on the host. Recommend pinning to a specific audited version, verifying package integrity, or avoiding executing unpinned remote packages automatically. Treat this as a moderate security risk due to potential supply-chain execution.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/[email protected] → npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The JavaScript wrapper is a legitimate auto-generated napi-rs/WASI loader for a wasm module and does not itself contain direct malicious JS code. However it deliberately grants the loaded WASM and worker threads high privileges: it forwards the entire process.env and preopens the host filesystem root, which can expose secrets and allow extensive filesystem operations if the wasm (or resolved package) is malicious or compromised. Treat the wasm binary and package provenance as critical: verify the wasm artifact and avoid forwarding full environment or root preopens for untrusted modules.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/[email protected] → npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code is a standard JS-implemented Quick Sort with caching of a generated sorter per comparator. It uses dynamic function construction but does not perform network access, file I/O, or data exfiltration. The primary risk is performance-related and potential side effects from the user-provided comparator, not malicious activity. Overall, the code shows low malicious intent and moderate security risk due to dynamic code generation and reliance on external comparator behavior.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/[email protected] → npm/@vitest/[email protected] → npm/@vitest/[email protected] → npm/@toruslabs/[email protected] → npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/[email protected] → npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.