registry  /  @athrio/loom  /  0.0.2

@athrio/loom@0.0.2

Tangle Loom literate sources into real source files.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 2.44 MB of source, external domains: commonmark.org, github.com, highlightjs.org, html.spec.whatwg.org, rolldown.rs
Oversized source lightweight scan
dist/LoomStore-DPhVqYEz.js4.23 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringsgithub.com

Source & flagged code

9 flagged · loading source
dist/volar-service-markdown-ZE1pdvJT.jsView file
16296patternName = generic_password severity = medium line = 16296 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/volar-service-markdown-ZE1pdvJT.jsView on unpkg · L16296
dist/main.jsView file
3import { $ as get, $n as filter, $t as ignore, A as Boolean, An as mergeAll, Ar as identity, At as makeUnsafe, B as make$8, Bn as fail$2, Bt as catchTag, C as errorReported, Cn as ... L4: import * as NodeChildProcess from "node:child_process"; L5: import "node:stream";
High
Child Process

Package source references child process execution.

dist/main.jsView on unpkg · L3
2Cross-file remote execution chain: dist/main.js spawns dist/rolldown-runtime-yvBN9yY6.js; helper contains network access plus dynamic code execution. L2: import { t as __commonJSMin } from "./rolldown-runtime-yvBN9yY6.js"; L3: import { $ as get, $n as filter, $t as ignore, A as Boolean, An as mergeAll, Ar as identity, At as makeUnsafe, B as make$8, Bn as fail$2, Bt as catchTag, C as errorReported, Cn as ... L4: import * as NodeChildProcess from "node:child_process"; L5: import "node:stream"; ... L474: /* istanbul ignore next */ L475: opt.platform = opt.platform || typeof process !== "undefined" && process.platform; L476: opt.bracketedArray = opt.bracketedArray !== false; ... L552: const valueRaw = match[3] ? unsafe(match[4]) : true; L553: const value = valueRaw === "true" || valueRaw === "false" || valueRaw === "null" ? JSON.parse(valueRaw) : valueRaw; L554: if (isArray) { ... L4950: * const filePrimitive = Primitive.path("file", true) L4951: * const filePath = yield* filePrimitive.parse("./package.json")
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/main.jsView on unpkg · L2
2import { t as __commonJSMin } from "./rolldown-runtime-yvBN9yY6.js"; L3: import { $ as get, $n as filter, $t as ignore, A as Boolean, An as mergeAll, Ar as identity, At as makeUnsafe, B as make$8, Bn as fail$2, Bt as catchTag, C as errorReported, Cn as ... L4: import * as NodeChildProcess from "node:child_process"; L5: import "node:stream"; ... L474: /* istanbul ignore next */ L475: opt.platform = opt.platform || typeof process !== "undefined" && process.platform; L476: opt.bracketedArray = opt.bracketedArray !== false; ... L552: const valueRaw = match[3] ? unsafe(match[4]) : true; L553: const value = valueRaw === "true" || valueRaw === "false" || valueRaw === "null" ? JSON.parse(valueRaw) : valueRaw; L554: if (isArray) { ... L4950: * const filePrimitive = Primitive.path("file", true) L4951: * const filePath = yield* filePrimitive.parse("./package.json")
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/main.jsView on unpkg · L2
dist/LoomServer-3C83kvX5.jsView file
461deleteCount, L462: data: newData L463: }]; ... L1855: var fs$2 = __require("fs"); L1856: var child_process_1 = __require("child_process"); L1857: /** ... L1865: for (var i = 0, len = segments.length; i < len; i++) segments[i] = decodeURIComponent(segments[i]); L1866: if (process.platform === "win32" && segments.length > 1) { L1867: let first = segments[0]; ... L1896: return new Promise((resolve, reject) => { L1897: let env = process.env; L1898: let newEnv = Object.create(null);
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/LoomServer-3C83kvX5.jsView on unpkg · L461
1852exports.resolveModulePath = exports.FileSystem = exports.resolveGlobalYarnPath = exports.resolveGlobalNodePath = exports.resolve = exports.uriToFilePath = void 0; L1853: var url = __require("url"); L1854: var path$1 = __require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/LoomServer-3C83kvX5.jsView on unpkg · L1852
8103locale = locale?.toLowerCase(); L8104: const _require = eval("require"); L8105: return {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/LoomServer-3C83kvX5.jsView on unpkg · L8103
dist/LoomStore-DPhVqYEz.jsView file
path = dist/LoomStore-DPhVqYEz.js kind = oversized_source_file sizeBytes = 4436096 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/LoomStore-DPhVqYEz.jsView on unpkg
path = dist/LoomStore-DPhVqYEz.js kind = oversized_cli_entrypoint sizeBytes = 4436096 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/LoomStore-DPhVqYEz.jsView on unpkg

Findings

5 High7 Medium5 Low
HighChild Processdist/main.js
HighShell
HighObfuscated Payload Loaderdist/LoomServer-3C83kvX5.js
HighCross File Remote Execution Contextdist/main.js
HighOversized Source Filedist/LoomStore-DPhVqYEz.js
MediumSecret Patterndist/volar-service-markdown-ZE1pdvJT.js
MediumDynamic Requiredist/LoomServer-3C83kvX5.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/main.js
MediumOversized Cli Entrypointdist/LoomStore-DPhVqYEz.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/LoomServer-3C83kvX5.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings