Alert type docs (AlertType)

This directory is the canonical documentation for the scanner’s internal AlertType values.

Note: When you add/remove an alert type (source of truth: enum AlertType in prisma/schema.prisma), you must also:

• add/remove a markdown page in this folder
• update the index below

These markdown files are also rendered in the web app at /docs/alerts.

If you’re looking for Socket.dev’s full catalog (external reference, not our internal enum), see docs/SOCKET_ALERT_TYPES.md.

Index

• installScripts: npm lifecycle scripts that run during install/uninstall
• networkAccess: code that can make network requests (potential exfiltration)
• typosquat: package name similarity suggesting a typo-squat
• obfuscation: packed/high-entropy/obfuscated code
• shellExecution: use of shell / process execution APIs
• envAccess: access to environment variables (often secrets)
• evalUsage: dynamic code execution via eval / Function
• base64Secrets: base64 strings consistent with secrets/payloads
• cryptoMining: mining/pool indicators and miner-like code
• sensitiveFileAccess: reads/writes of sensitive paths (SSH keys, cloud creds, etc.)
• dangerousApi: risky Node/browser APIs commonly abused by malware
• c2Communication: command-and-control indicators (suspicious hosts/URLs)
• gitDependency: dependency that resolves to a git/GitHub URL or shorthand
• httpDependency: dependency that resolves to a remote HTTP(S) URL
• telemetry: telemetry/analytics behavior
• shrinkwrap: presence of npm-shrinkwrap.json / lockfile patterns
• trivialPackage: extremely small/trivial packages (higher risk surface)
• hasNativeCode: native/compiled artifacts (harder to audit)
• manifestConfusion: registry manifest differs from tarball contents
• llmFlagged: LLM-based analysis flagged suspicious intent
• dependencyConfusion: private/public package name collision risk
• repojacking: maintainer/repo takeover risk signals
• customNovel: novel heuristics not covered by a dedicated alert type