diff --git a/src/plugins/install-security-scan.runtime.ts b/src/plugins/install-security-scan.runtime.ts
index 1506ac32be4..90f1cb73142 100644
--- a/src/plugins/install-security-scan.runtime.ts
+++ b/src/plugins/install-security-scan.runtime.ts
@@ -186,12 +186,13 @@ async function inspectNodeModulesSymlinkTarget(params: {
 
   const resolvedTargetStats = await fs.stat(resolvedTargetPath);
   const resolvedTargetRelativePath = path.relative(params.rootRealPath, resolvedTargetPath);
+  const blockedDirectoryFinding = findBlockedPackageDirectoryInPath({
+    pathRelativeToRoot: resolvedTargetRelativePath,
+  });
   return {
-    blockedDirectoryFinding: resolvedTargetStats.isDirectory()
-      ? findBlockedPackageDirectoryInPath({
-          pathRelativeToRoot: resolvedTargetRelativePath,
-        })
-      : undefined,
+    // File symlinks can point into a blocked package directory, for example
+    // vendor/node_modules/safe-name -> ../plain-crypto-js/dist/index.js.
+    blockedDirectoryFinding,
     blockedFileFinding: resolvedTargetStats.isFile()
       ? findBlockedPackageFileAliasInPath({
           pathRelativeToRoot: resolvedTargetRelativePath,