Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsNetworkWebSocket
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/worker.jsView file
11return { id: cloudRun, source: "cloud_run_revision_instance" };
L12: const hostname = (process.env.HOSTNAME ?? "").trim();
L13: if (hostname)
...
L24: try {
L25: const host = systemHostname().trim();
L26: if (host) {
...
L45: try {
L46: const resp = await fetch("http://metadata.google.[redacted]", { headers: { "Metadata-Flavor": "Google" }, signal: ctrl.signal });
L47: if (!resp.ok)
L48: return null;
L49: const id = (await resp.text()).trim();
L50: return id ? `${revision}-${id}` : null;
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/worker.jsView on unpkg · L11dist/client.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @deepnoodle/mobius@0.0.36
matchedIdentity = npm:QGRlZXBub29kbGUvbW9iaXVz:0.0.36
similarity = 0.833
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/client.jsView on unpkgFindings
2 High2 Medium3 Low
HighCloud Metadata Accessdist/worker.js
HighPrevious Version Dangerous Deltadist/client.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings