Security Insights
Security insight selectors rely on data provided by Socket. Using any of these selectors triggers a network call to fetch package report data.
:::note Security selectors require fetching data from Socket’s API. This adds latency to queries — the data is fetched before the query runs. Keep this in mind for interactive use. :::
Malware & threats
:malware
Matches packages that may contain malware with severity >= medium (critical, high, medium — excludes low).
$ vlt query ':malware':malware(<type>)
Filter by severity level:
| Type | Description |
|---|---|
critical or 0 | Critical severity |
high or 1 | High severity |
medium or 2 | Medium severity |
low or 3 | Low severity |
Comparators are supported:
$ vlt query ':malware(critical)'$ vlt query ':malware(">1")'$ vlt query ':malware(">=medium")':squat / :squat(<type>)
Matches packages with names similar to popular packages (typosquatting).
$ vlt query ':squat':squat without arguments matches any severity. Filter with:
| Type | Description |
|---|---|
critical or 0 | High-confidence typosquat |
medium or 2 | Possible typosquat |
none | Not a typosquat |
:suspicious
Matches packages with artificially inflated GitHub stars (bots, crowdsourcing, etc.):
$ vlt query ':suspicious':confused
Matches packages affected by manifest confusion — the published
package.json differs from what’s in the tarball:
$ vlt query ':confused'Vulnerabilities
:vulnerable / :vuln
Matches packages that have any CVE associated with them:
$ vlt query ':vulnerable'The :vuln alias works identically:
$ vlt query ':vuln':cve(<id>)
Matches packages with a specific CVE alert:
$ vlt query ':cve(CVE-2023-1234)'Match packages with any CVE:
$ vlt query ':cve(*)':cwe(<id>)
Matches packages with a specific CWE alert:
$ vlt query ':cwe(CWE-79)':severity(<level>)
Matches packages by CVE severity level:
| Level | Description |
|---|---|
critical or 0 | Critical severity CVEs |
high or 1 | High severity CVEs |
medium or 2 | Medium severity CVEs |
low or 3 | Low severity CVEs |
Comparators are supported:
$ vlt query ':severity(critical)'$ vlt query ':severity(">1")'$ vlt query ':severity(">=medium")'Licensing
:license(<type>)
Matches packages based on license issues:
| Type | Description |
|---|---|
unlicensed | No license |
misc | Fine-grained license problems |
restricted | Non-permissive license |
ambiguous | Ambiguous licensing |
copyleft | Copyleft license (GPL, etc.) |
unknown | License data found but type undetermined |
none | No license data at all |
exception | SPDX license exception |
# Find packages with copyleft licenses$ vlt query ':license(copyleft)'
# Find unlicensed packages
$ vlt query ':license(unlicensed)'
# Find packages with any license
$ vlt query ':license'Code behavior signals
:eval
Packages using dynamic code execution (eval(), new Function(),
etc.):
$ vlt query ':eval':network
Packages that access the network:
$ vlt query ':network':fs
Packages that access the file system:
$ vlt query ':fs':env
Packages that access environment variables:
$ vlt query ':env':shell
Packages that access the system shell:
$ vlt query ':shell':scripts
Packages with install scripts (postinstall, preinstall, etc.):
$ vlt query ':scripts':debug
Packages using debug, reflection, or dynamic code execution features:
$ vlt query ':debug':dynamic
Packages using dynamic imports:
$ vlt query ':dynamic'Obfuscation & hiding
:obfuscated
Packages with intentionally obfuscated code:
$ vlt query ':obfuscated':minified
Packages containing minified code:
$ vlt query ':minified':entropic
Packages with high-entropy strings (possibly encrypted data, leaked secrets, or obfuscated code):
$ vlt query ':entropic':native
Packages containing native code (compiled binaries, shared libraries):
$ vlt query ':native':shrinkwrap
Packages containing a shrinkwrap file that may bypass normal install procedures:
$ vlt query ':shrinkwrap'Package health
:deprecated
Packages marked as deprecated:
$ vlt query ':deprecated':unmaintained
Packages not updated in more than 5 years:
$ vlt query ':unmaintained':unpopular
Packages that are not widely used:
$ vlt query ':unpopular':trivial
Packages with less than 10 lines of code:
$ vlt query ':trivial':abandoned
Packages published by an npm account that no longer exists:
$ vlt query ':abandoned':unknown
Packages with a new npm collaborator publishing for the first time:
$ vlt query ':unknown':unstable
Packages with unstable ownership (new collaborator publishing):
$ vlt query ':unstable'Other
:tracker
Packages containing telemetry:
$ vlt query ':tracker':undesirable
Packages that are jokes, parodies, or include undocumented behavior:
$ vlt query ':undesirable':score(<rate>, <kind>)
Match packages by security score:
| Parameter | Description |
|---|---|
rate | Score value 0–100 (or 0–1), with optional comparator |
kind | Score category (optional, default: overall) |
Available kinds: overall, license, maintenance, quality,
supplyChain, vulnerability.
# Packages with exactly 0.8 overall score$ vlt query ':score(80)'
# Packages with score > 0.8
$ vlt query ':score(">0.8")'
# Low maintenance score
$ vlt query ':score("<=0.5", "maintenance")'Common audit queries
Run a comprehensive security audit:
# Critical issues$ vlt query ':malware(critical), :cve(*), :obfuscated'
# Supply chain risks
$ vlt query ':abandoned, :unmaintained, :unknown'
# License compliance
$ vlt query ':license(copyleft), :license(unlicensed)'
# Code behavior audit
$ vlt query ':eval, :shell, :network, :fs'See also
:scanned— check if packages have security metadata- vlt security overview — security features in vlt