बीटा Shoulder बीटा में है — परिणाम कभी-कभी गलत हो सकते हैं। आपकी प्रतिक्रिया तय करती है कि हम आगे क्या ठीक करें। प्रतिक्रिया साझा करें
Shoulder.dev

डेवलपर सुरक्षा प्लेटफ़ॉर्म

सुरक्षा अलर्ट

Shoulder के इकोसिस्टम विश्लेषण से सिग्नल — नए पैकेज स्कैन किए, जोखिम परिवर्तन पहचाने, और कमज़ोरियां उजागर हुईं।

अलर्ट तब उत्पन्न होते हैं जब Shoulder किसी पैकेज का विश्लेषण करता है और समीक्षा के योग्य सिग्नल पहचानता है। प्रत्येक अलर्ट पूर्ण खतरा ब्रीफिंग से जुड़ता है।

npm/@alintever/[email protected] CRITICAL

Bulk env-var sweep + shell exec at runtime — credential-stealer

  • Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
  • Install hook spawns dynamic / forked-detached shell — dropper attribution
  • Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
npm/@forsakringskassan/[email protected] MEDIUM

Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals

  • Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
npm/@jean2/[email protected] MEDIUM

Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals

  • Sensitive file access with network egress — credential exfiltration pattern
npm/@knapsack/[email protected] CRITICAL

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

npm/@knapsack/[email protected] CRITICAL

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

  • Dynamic eval + network access BOTH appeared in this version — hijack shape (payload-introduction signature; neither cap was present in the trust-anchor baseline)
  • Dynamic code evaluation with network access — potential code injection or exfiltration
npm/@knapsack/[email protected] CRITICAL

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

npm/@made-by-moonlight/[email protected] CRITICAL

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

npm/@thebuoyant-tsdev/[email protected] HIGH

Publisher's current primary email is on a known burner / anonymous-by-design provider — ongoing hijack-shape state (persists across versions; companion to the transition signal)

npm/@togo-framework/[email protected] CRITICAL

Install-time payload delivery: remote fetch + execution during install

  • matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution
npm/@writechoice/[email protected] MEDIUM

Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)

  • Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
  • Dynamic code evaluation with network access — potential code injection or exfiltration
npm/[email protected] CRITICAL

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

pypi/[email protected] CRITICAL

Obfuscated payload + credential-harvest capability: javascript-obfuscator-grade output combined with cloud-metadata / bulk-env-sweep / cloud / SSH / browser / wallet credential access

  • matched: verdict_obfuscated_credential_exfil

Search a package or CVE

Look up any package, vulnerability, or weakness pattern for a full threat briefing.

Scan a GitHub repo

Test any public repo — see auth coverage, risk paths, and dependency signals.

Scan your own code

Install the CLI to scan your projects locally. Your source code never leaves your machine.