dangerousApi

Rendered from docs/alerts/dangerousApi.md

Back to index

dangerousApi

Flags usage of high-risk APIs that are commonly abused by malware (for example dynamic module loading, unsafe deserialization, privileged system calls).

Implemented in: src/lib/detection/plugins/dangerous-apis.ts
Enabled by default: yes

What it means

The package uses one or more APIs that expand capability or reduce auditability.

Why it matters

“Dangerous APIs” are rarely malicious on their own, but they strongly increase risk when paired with obfuscation, network activity, or runtime code generation.

What to do

  • Confirm the API usage is necessary and scoped.
  • Look for the data flow into the API (constants vs user/network input).
  • Correlate with evalUsage, shellExecution, and networkAccess.

Common fields

  • filePath, lineStart/lineEnd, codeSnippet
  • metadata may include the specific API/pattern matched