Safe
Zero engine detections on a newly submitted package-lock.json file with no behavioural or external-intel signals.
518499bde396f1d93f…bf8727bf6bThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The complete absence of malicious detections across tier-1 and tier-2 engines, combined with no sandbox verdicts or external-intel hits, indicates no malware indicators. The file type (package-lock.json) is a standard Node.js artifact that antivirus engines rarely flag. While the rare_new classification and lack of signing history limit long-term reputation data, nothing in the payload suggests malicious intent or behaviour.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 with tier1Malicious=0 across 61 reporting engines
prevalence.classification=rare_new (1 submission, 0 days old)
signing.verified=null (unsigned) with signerStats.found=false
externalIntel.yaraify.ruleCount=0 and circl.knownMalicious=null
- Zero malicious engine detections
- No behavioural or network indicators
- No external intelligence matches
Treat as a clean package-lock.json file; no further action required unless the file is modified or sourced from an untrusted location.
0 detections across 74 engines
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- package-lock.json
- Size
- 311.6 KB
- MIME type
- application/json
- Detected type
- JSON
- SHA-256
- 518499bde396f1d93f028e985fb247f676216af3b6ef5394474c07bf8727bf6b
- MD5
- 27f0bc8838c9c2ed3eb9e00f29a5f621
- SHA-1
- faf90b4225a9d12edcfcf111ff3e96c067ecbccf
- First seen (VT)
- 7/9/2026, 10:30:32 PM
- Last analysis (VT)
- 7/9/2026, 10:30:32 PM
- First scan (MalwareTips)
- 7/9/2026, 10:31:15 PM
- Last scan (MalwareTips)
- 7/9/2026, 10:31:15 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.