Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsEvalNetworkWebSocket
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
NoLicenseWildcardDependency
Source & flagged code
3 flagged · loading sourcedist/bin.jsView file
1#!/usr/bin/env node
L2: import{createRequire as Sa}from"node:module";var za=Object.create;var{getPrototypeOf:Ia,defineProperty:qz,getOwnPropertyNames:qa}=Object;var La=Object.prototype.hasOwnProperty;func...
L3: Content-Disposition: form-data; name="`;return $.forEach((G,W)=>typeof G=="string"?Y.push(X+Bz(W)+`"\r
...
L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),SX=($,J,Q)=>{if(J.length<Q)throw TypeError(`Failed to execute '${$}' on 'FormData': ${Q} arguments required, but o...
L13: --`+$;let J=new Uint8Array($.length);for(let Q=0;Q<$.length;Q++)J[Q]=$.charCodeAt(Q),this.boundaryChars[J[Q]]=!0;this.boundary=J,this.lookbehind=new Uint8Array(this.boundary.length...
L14: `).join(`\r
...
L22: || (${W} === "string" && ${X} && ${X} == +${X} && !(${X} % 1))`).assign(V,m$._`+${X}`);return;case"boolean":Y.elseIf(m$._`${X} === "false" || ${X} === 0 || ${X} === null`).assign(V...
L23: || ${W} === "boolean" || ${X} === null`).assign(V,m$._`[${X}]`)}}}function QQ$({gen:$,parentData:J,parentDataProperty:Q},Y){$.if(m$._`${J} !== undefined`,()=>$.assign(m$._`${J}[${Q...
L24: missingProperty: ${Y},
...
L46: `),{name:"InvalidDefinitionTypeError"})}}});var U1;var z9=o(()=
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
dist/bin.jsView on unpkg · L11Trigger-reachable chain: manifest.bin -> dist/bin.js
L1: #!/usr/bin/env node
L2: import{createRequire as Sa}from"node:module";var za=Object.create;var{getPrototypeOf:Ia,defineProperty:qz,getOwnPropertyNames:qa}=Object;var La=Object.prototype.hasOwnProperty;func...
L3: Content-Disposition: form-data; name="`;return $.forEach((G,W)=>typeof G=="string"?Y.push(X+Bz(W)+`"\r
...
L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),SX=($,J,Q)=>{if(J.length<Q)throw TypeError(`Failed to execute '${$}' on 'FormData': ${Q} arguments required, but o...
L13: --`+$;let J=new Uint8Array($.length);for(let Q=0;Q<$.length;Q++)J[Q]=$.charCodeAt(Q),this.boundaryChars[J[Q]]=!0;this.boundary=J,this.lookbehind=new Uint8Array(this.boundary.length...
L14: `).join(`\r
...
L22: || (${W} === "string" && ${X} && ${X} == +${X} && !(${X} % 1))`).assign(V,m$._`+${X}`);return;case"boolean":Y.elseIf(m$._`${X} === "false" || ${X} === 0 || ${X} === null`).assign(V...
L23: || ${W} === "boolean" || ${X} === null`).assign(V,m$._`[${X}]`)}}}function QQ$({gen:$,parentData:J,parentDataProperty:Q},Y){$.if(m$._`${J} !== undefined`,()=>$.assign(m$._`${J}[${Q...
L24: missingProperty: ${Y},
...
L46: `),{name:…
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/bin.jsView on unpkg · L165\r
L66: `),Y=!1,X=!1,G;$.on("response",(W)=>{let{headers:V}=W;Y=V["transfer-encoding"]==="chunked"&&!V["content-length"]}),$.on("socket",(W)=>{let V=()=>{if(Y&&!X){let D=Error("Premature c...
L67: `)}var fY=($)=>(J,Q,Y,X)=>{let G=Y?{...Y,async:!1}:{async:!1},W=J._zod.run({value:Q,issues:[]},G);if(W instanceof Promise)throw new OJ;if(W.issues.length){let V=new(X?.Err??$)(W.is...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/bin.jsView on unpkg · L65Findings
2 Critical5 Medium6 Low
CriticalWallet Draindist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvaldist/bin.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License