registry  /  @decentnetwork/lan  /  0.1.158

@decentnetwork/lan@0.1.158

⚠ Under review

Private virtual LAN for self-hosted services and AI agents, built on Elastos Carrier. NAT-traversal, name service, ACL, all over a peer-to-peer mesh — no public IP required.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 53 file(s), 1022 KB of source, external domains: reactjs.org, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/tun/route-manager.jsView file
4*/ L5: import { execSync } from "child_process"; L6: import { Logger } from "../utils/logger.js";
High
Child Process

Package source references child process execution.

dist/tun/route-manager.jsView on unpkg · L4
dist/ui/desktop/vendor/react-dom.production.min.jsView file
12*/ L13: 'use strict';(function(Q,zb){"object"===typeof exports&&"undefined"!==typeof module?zb(exports,require("react")):"function"===typeof define&&define.amd?define(["exports","react"],z... L14: function mb(a,b){Ab(a,b);Ab(a+"Capture",b)}function Ab(a,b){$b[a]=b;for(a=0;a<b.length;a++)cg.add(b[a])}function bj(a){if(Zd.call(dg,a))return!0;if(Zd.call(eg,a))return!1;if(cj.tes...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ui/desktop/vendor/react-dom.production.min.jsView on unpkg · L12
dist/cli/commands.jsView file
5Cross-file remote execution chain: dist/cli/commands.js spawns dist/ui/server.js; helper contains network access plus dynamic code execution. L5: import { existsSync, mkdirSync, readFileSync } from "fs"; L6: import { createConnection } from "net"; L7: import { createRequire } from "module"; ... L88: sock.on("connect", () => { L89: sock.write(JSON.stringify(req) + "\n"); L90: }); L91: sock.on("data", (chunk) => { L92: buf += chunk.toString("utf-8"); L93: const nl = buf.indexOf("\n"); ... L141: // surface a hint if it doesn't go through. Skipped for any dora the L142: // user removed from dora.userids (i.e. they're pointing at a private L143: // set — they'll run `agentnet dora enable` themselves). The defaults
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/commands.jsView on unpkg · L5
5import { existsSync, mkdirSync, readFileSync } from "fs"; L6: import { createConnection } from "net"; L7: import { createRequire } from "module"; ... L88: sock.on("connect", () => { L89: sock.write(JSON.stringify(req) + "\n"); L90: }); L91: sock.on("data", (chunk) => { L92: buf += chunk.toString("utf-8"); L93: const nl = buf.indexOf("\n"); ... L141: // surface a hint if it doesn't go through. Skipped for any dora the L142: // user removed from dora.userids (i.e. they're pointing at a private L143: // set — they'll run `agentnet dora enable` themselves). The defaults
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/commands.jsView on unpkg · L5
bin/tun-helper-linux-arm64View file
path = bin/tun-helper-linux-arm64 kind = native_binary sizeBytes = 2193270 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/tun-helper-linux-arm64View on unpkg
dist/daemon/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @decentnetwork/lan@0.1.137 matchedIdentity = npm:QGRlY2VudG5ldHdvcmsvbGFu:0.1.137 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/daemon/server.jsView on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/daemon/server.js
HighChild Processdist/tun/route-manager.js
HighShell
HighCross File Remote Execution Contextdist/cli/commands.js
MediumDynamic Requiredist/ui/desktop/vendor/react-dom.production.min.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/commands.js
MediumShips Native Binarybin/tun-helper-linux-arm64
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License