SafeDep
Install GitHub App
SafeDep
Install GitHub App

Summary

Package not malware. http_url_with_msi matched yarnpkg.com/latest.msi, a legitimate Yarn installer URL. Project has high stars/forks.

Verification Record

No verification record available.

Details

The package @yarnpkg/lockfile version 1.1.0 is likely not malware. While the YARA rule http_url_with_msi detected a hardcoded URL https://yarnpkg.com/latest.msi in index.js, this is a legitimate URL pointing to the official Yarn package manager installer. The project yarnpkg/yarn has a substantial number of stars and forks, indicating a well-established and trusted project. The fact that the package has few published versions is a weak signal. Therefore, the presence of the Yarn installer URL is not indicative of malicious behavior in this context.

@yarnpkg/lockfile@1.1.0Clean
Unverified
Analysed at: 8/4/25, 2:10 AM
Source: https://registry.npmjs.org/@yarnpkg/lockfile/-/lockfile-1.1.0.tgz
SHA256: 1fc6fdaf70323755351ae9e10c719891a20c03e6d12d4fc940877aece1993944
Confidence: Medium