manifestConfusion

Rendered from docs/alerts/manifestConfusion.md

Back to index

manifestConfusion

Flags mismatches between what the registry claims (manifest) and what the tarball actually contains (package.json/scripts/deps/etc).

Implemented in: src/lib/detection/plugins/novel/manifest-confusion.ts
Enabled by default: no (available plugin; enable in the detection service/plugin set)

What it means

The registry metadata and the packaged contents disagree in ways that can mislead consumers and scanners.

Why it matters

Attackers can attempt to present benign metadata while shipping a malicious tarball, or vice versa, to bypass tooling that only inspects one source.

What to do

  • Compare registry metadata vs tarball package.json for scripts and dependencies.
  • Treat unexpected script additions/removals as high-signal.
  • Re-download from the official registry endpoint and verify integrity.

Common fields

  • metadata may include a diff-like structure describing what changed