Chaintrap · npm supply chain
Static behavior detection plus OSV vulnerability intel in one report. Use findings for triage; confirm with your process — full stdout and JSON are in the appendix for audit.
npm-mal-scan rated malware risk LOW for this package (heuristic static analysis — not a court verdict). Vulnerability signal: NONE; dependency confusion: NONE. Scanner verdict: NONE.
Scanners prioritize signal over certainty: expect both false positives and blind spots. Chaintrap is designed to combine static detection with OSV CVE data so analysts spend time on packages that look risky and have known-vuln exposure — not to replace manual review or reputation checks.
2 runtime dependencies
| Package | Required | Flags |
|---|---|---|
| mime-types | ~2.1.34 | |
| negotiator | 0.6.3 |
1.0.0Modes: OSV per dependency · resolve cap: 15 · per-child timeout: 120s
| Dependency | Declared | Resolved / status | OSV # | Max OSV severity | Full scan | Reports |
|---|---|---|---|---|---|---|
| mime-types | ~2.1.34 | 2.1.35 | 0 | — | — | — |
| negotiator | 0.6.3 | 0.6.3 | 0 | — | — | — |
OSV queries use the resolved version shown (exact pins as declared; ranges use the highest published version satisfying the range). See NPM_RUNTIME_DEP_OSV_SCAN / NPM_RUNTIME_DEP_FULL_SCAN in operator docs.
Chaintrap pairs static behavior signals above with OSV data for this exact version — cross-check CVEs and malware listings with install scripts, execution paths, and scanner findings.
Source: osv.dev — queried at scan time.
No known vulnerabilities reported for this exact version.
require() / import
Illustrative execution chain from scan order and behavior findings — heuristic, not a guaranteed exploit path.
T3 score=25 index.js other package script (tier 3 shallow scan)
No suspicious behavior detected in candidate files.
No known vulnerabilities for this version.
index.jsnpm uninstall acceptsnpm uninstall -g acceptspackage-lock.json and run npm install