# node-forge@0.10.0 — Threat Briefing

High risk — threat briefing for npm package node-forge@0.10.0. Capabilities, risk paths, and what to check.

- **Ecosystem:** npm
- **Latest version:** 1.3.3
- **License:** (BSD-3-Clause OR GPL-2.0)

## Risk

- **Level:** high
- **Summary:** Sensitive file access with network egress — credential exfiltration pattern

## Capability Summary

| Capability | Level |
|---|---|
| install scripts | Prepublish |
| network access | client |
| filesystem | read |
| shell execution | none |

## Capabilities

### Install Scripts

- Install-time script execution [common]

### Other

- No dependency lockfile (unpinned installs) [common]
- Cryptographic hashing [common]
- Encryption/decryption operations [common]
- Long encoded payload [common]
- new Function() constructor [common]

### Execution

- Dynamic code execution (eval) [unusual]

### Network

- Network client [common]

### Filesystem

- Sensitive file access [unusual]

## Key Signals

- ****
- ****
- ****
- ****
- ****
- ****
- ****
- ****
- ****
- ****
- ****
- ****

## Maintainer


## Recommended Action

Review before installing in sensitive environments.