Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/dpuse-development.es.jsView file
3import { promisify as r } from "node:util";
L4: import { execFile as i, spawn as a } from "node:child_process";
L5: import { fileURLToPath as o } from "node:url";
...
L989: ], p = "·̀-ͯ·҃-֑҇-ׇֽֿׁׂׅׄؐ-ًؚ-٩ٰۖ-ۜ۟-۪ۤۧۨ-ۭ۰-۹ܑܰ-݊ަ-ް߀-߉߫-߽߳ࠖ-࠙ࠛ-ࠣࠥ-ࠧࠩ-࡙࠭-࡛-࢟࣊-ࣣ࣡-ःऺ-़ा-ॏ॑-ॗॢॣ०-९ঁ-ঃ়া-ৄেৈো-্ৗৢৣ০-৯৾ਁ-ਃ਼ਾ-ੂੇੈੋ-੍ੑ੦-ੱੵઁ-ઃ઼ા-ૅે-ૉો-્ૢૣ૦-૯ૺ-૿ଁ-ଃ଼ା-ୄେୈୋ-୍୕-ୗୢୣ୦-୯ஂா-...
L990: 3: "abstract boolean byte char class double enum export extends final float goto implements import int interface long native package private protected public short static super syn...
L991: 5: "class enum extends super const export import",
...
L1007: function y(e, t) {
L1008: return e < 65 ? e === 36 : e < 91 ? !0 : e < 97 ? e === 95 : e < 123 ? !0 : e <= 65535 ? e >= 170 && te.test(String.fromCharCode(e)) : t === !1 ? !1 : ne(e, f);
L1009: }
...
L5755: e !== void 0 && q(`${e} - exec(${n} ${r.join(" ")})`);
L5756: let { stdout: a, stderr: o } = await jn(n, r);
L5757: i === void 0 ? a.trim() && console.log(a.trim()) : await t.writeFile(i, a.trim(), "utf8"), o.trim() && console.error(o.trim());
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/dpuse-development.es.jsView on unpkg · L33Trigger-reachable chain: manifest.module -> dist/dpuse-development.es.js
L3: import { promisify as r } from "node:util";
L4: import { execFile as i, spawn as a } from "node:child_process";
L5: import { fileURLToPath as o } from "node:url";
...
L989: ], p = "·̀-ͯ·҃-֑҇-ׇֽֿׁׂׅׄؐ-ًؚ-٩ٰۖ-ۜ۟-۪ۤۧۨ-ۭ۰-۹ܑܰ-݊ަ-ް߀-߉߫-߽߳ࠖ-࠙ࠛ-ࠣࠥ-ࠧࠩ-࡙࠭-࡛-࢟࣊-ࣣ࣡-ःऺ-़ा-ॏ॑-ॗॢॣ०-९ঁ-ঃ়া-ৄেৈো-্ৗৢৣ০-৯৾ਁ-ਃ਼ਾ-ੂੇੈੋ-੍ੑ੦-ੱੵઁ-ઃ઼ા-ૅે-ૉો-્ૢૣ૦-૯ૺ-૿ଁ-ଃ଼ା-ୄେୈୋ-୍୕-ୗୢୣ୦-୯ஂா-...
L990: 3: "abstract boolean byte char class double enum export extends final float goto implements import int interface long native package private protected public short static super syn...
L991: 5: "class enum extends super const export import",
...
L1007: function y(e, t) {
L1008: return e < 65 ? e === 36 : e < 91 ? !0 : e < 97 ? e === 95 : e < 123 ? !0 : e <= 65535 ? e >= 170 && te.test(String.fromCharCode(e)) : t === !1 ? !1 : ne(e, f);
L1009: }
...
L5755: e !== void 0 && q(`${e} - exec(${n} ${r.join(" ")})`);
L5756: let { stdout: a, stderr: o } = await jn(n, r);
L5757: i === void 0 ? a.trim() && console.log(a.trim()) : await t.writeFile(i, a.trim(), "utf8"), o.trim() && console.error(o.trim());
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/dpuse-development.es.jsView on unpkg · L3Findings
2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/dpuse-development.es.js
CriticalTrigger Reachable Dangerous Capabilitydist/dpuse-development.es.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings