AST Depth Analysis

Check packages for deep source structures


Well constructed software should produce syntax trees that are fairly wide. Malware typically attempts to hide its behavior by making numerous extraneous and often unnecessary function calls. This tends to produce syntax trees that are very deep, rather than wide.

At best, deep syntax trees may be indicative of some technical debt that needs to be addressed. At worst, it could be a sign that the underlying machinery is slowly unravelling a tangle of code immediately prior to the execution of some malicious payload.


While AST depth analysis is a relatively weak indicator of risk, it is still something that should be considered. Extremely deep syntax trees are likely indicative of something out of the ordinary going on.

Risk Domains

Malicious, Engineering

Impact on the Phylum Package Score

Has a small impact on the package score, commensurate to the depth of the syntax tree.

Examples from the past


Did this page help you?