registry  /  @dadigua/codexhub  /  0.4.15

@dadigua/codexhub@0.4.15

⚠ Under review

Local-first Codex control plane for local, SSH, and registered machines.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 140 file(s), 3.63 MB of source, external domains: 127.0.0.1, codexhub.local, github.com, react.dev, www.w3.org

Source & flagged code

5 flagged · loading source
dist/assets/SyntaxCodeBlock-Bq3TE26T.jsView file
4`);F.forEach(function(L,T){var I=a&&d.length+r,h={type:"text",value:"".concat(L,` L5: `)};if(T===0){var C=u.slice(g+1,p).concat(W({children:[h],className:E.properties.className})),D=y(C,I);d.push(D)}else if(T===F.length-1){var Y=u[p+1]&&u[p+1].children&&u[p+1].child... L6: ?|
High
Child Process

Package source references child process execution.

dist/assets/SyntaxCodeBlock-Bq3TE26T.jsView on unpkg · L4
scripts/install-vscode-extension.tsView file
62L63: const powershell = await powershellPath(); L64: const result = await runCommand(powershell, ["-NoProfile", "-Command", ps]);
High
Shell

Package source references shell execution.

scripts/install-vscode-extension.tsView on unpkg · L62
dist-node/electron/main.jsView file
6import path from "node:path"; L7: var loadDotEnv = async (filePath = path.resolve(process.cwd(), ".env")) => { L8: let contents; ... L17: if (!parsed) continue; L18: if (!(parsed.key in process.env)) process.env[parsed.key] = parsed.value; L19: } ... L71: // src/server/embedded.ts L72: import net2 from "node:net"; L73: ... L375: streamId, L376: send: (frame) => this.send(frame), L377: onClose: () => {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist-node/electron/main.jsView on unpkg · L6
6Detached bundled service listener: dist-node/electron/main.js launches a Node helper and exposes a broad-bound HTTP listener. L6: import path from "node:path"; L7: var loadDotEnv = async (filePath = path.resolve(process.cwd(), ".env")) => { L8: let contents; ... L17: if (!parsed) continue; L18: if (!(parsed.key in process.env)) process.env[parsed.key] = parsed.value; L19: } ... L71: // src/server/embedded.ts L72: import net2 from "node:net"; L73: ... L375: streamId, L376: send: (frame) => this.send(frame), L377: onClose: () => {
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist-node/electron/main.jsView on unpkg · L6
scripts/publish-prod.shView file
path = scripts/publish-prod.sh kind = build_helper sizeBytes = 971 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/publish-prod.shView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalCredential Exfiltrationdist-node/electron/main.js
HighChild Processdist/assets/SyntaxCodeBlock-Bq3TE26T.js
HighShellscripts/install-vscode-extension.ts
HighSpawned Bundled Service Listenerdist-node/electron/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/publish-prod.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings