registry  /  @dpuse/dpuse-development  /  0.3.651

@dpuse/dpuse-development@0.3.651

⚠ Under review

Actions for managing DPUse projects.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 305 KB of source, external domains: api.dpuse.app, registry.npmjs.org, www.npmjs.com

Source & flagged code

2 flagged · loading source
dist/dpuse-development.es.jsView file
3import { promisify as r } from "node:util"; L4: import { execFile as i, spawn as a } from "node:child_process"; L5: import { fileURLToPath as o } from "node:url"; ... L989: ], p = "‌‍·̀-ͯ·҃-֑҇-ׇֽֿׁׂׅׄؐ-ًؚ-٩ٰۖ-ۜ۟-۪ۤۧۨ-ۭ۰-۹ܑܰ-݊ަ-ް߀-߉߫-߽߳ࠖ-࠙ࠛ-ࠣࠥ-ࠧࠩ-࡙࠭-࡛ࢗ-࢟࣊-ࣣ࣡-ःऺ-़ा-ॏ॑-ॗॢॣ०-९ঁ-ঃ়া-ৄেৈো-্ৗৢৣ০-৯৾ਁ-ਃ਼ਾ-ੂੇੈੋ-੍ੑ੦-ੱੵઁ-ઃ઼ા-ૅે-ૉો-્ૢૣ૦-૯ૺ-૿ଁ-ଃ଼ା-ୄେୈୋ-୍୕-ୗୢୣ୦-୯ஂா-... L990: 3: "abstract boolean byte char class double enum export extends final float goto implements import int interface long native package private protected public short static super syn... L991: 5: "class enum extends super const export import", ... L1007: function y(e, t) { L1008: return e < 65 ? e === 36 : e < 91 ? !0 : e < 97 ? e === 95 : e < 123 ? !0 : e <= 65535 ? e >= 170 && te.test(String.fromCharCode(e)) : t === !1 ? !1 : ne(e, f); L1009: } ... L5755: e !== void 0 && q(`${e} - exec(${n} ${r.join(" ")})`); L5756: let { stdout: a, stderr: o } = await jn(n, r); L5757: i === void 0 ? a.trim() && console.log(a.trim()) : await t.writeFile(i, a.trim(), "utf8"), o.trim() && console.error(o.trim());
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/dpuse-development.es.jsView on unpkg · L3
3Trigger-reachable chain: manifest.module -> dist/dpuse-development.es.js L3: import { promisify as r } from "node:util"; L4: import { execFile as i, spawn as a } from "node:child_process"; L5: import { fileURLToPath as o } from "node:url"; ... L989: ], p = "‌‍·̀-ͯ·҃-֑҇-ׇֽֿׁׂׅׄؐ-ًؚ-٩ٰۖ-ۜ۟-۪ۤۧۨ-ۭ۰-۹ܑܰ-݊ަ-ް߀-߉߫-߽߳ࠖ-࠙ࠛ-ࠣࠥ-ࠧࠩ-࡙࠭-࡛ࢗ-࢟࣊-ࣣ࣡-ःऺ-़ा-ॏ॑-ॗॢॣ०-९ঁ-ঃ়া-ৄেৈো-্ৗৢৣ০-৯৾ਁ-ਃ਼ਾ-ੂੇੈੋ-੍ੑ੦-ੱੵઁ-ઃ઼ા-ૅે-ૉો-્ૢૣ૦-૯ૺ-૿ଁ-ଃ଼ା-ୄେୈୋ-୍୕-ୗୢୣ୦-୯ஂா-... L990: 3: "abstract boolean byte char class double enum export extends final float goto implements import int interface long native package private protected public short static super syn... L991: 5: "class enum extends super const export import", ... L1007: function y(e, t) { L1008: return e < 65 ? e === 36 : e < 91 ? !0 : e < 97 ? e === 95 : e < 123 ? !0 : e <= 65535 ? e >= 170 && te.test(String.fromCharCode(e)) : t === !1 ? !1 : ne(e, f); L1009: } ... L5755: e !== void 0 && q(`${e} - exec(${n} ${r.join(" ")})`); L5756: let { stdout: a, stderr: o } = await jn(n, r); L5757: i === void 0 ? a.trim() && console.log(a.trim()) : await t.writeFile(i, a.trim(), "utf8"), o.trim() && console.error(o.trim());
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/dpuse-development.es.jsView on unpkg · L3

Findings

2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/dpuse-development.es.js
CriticalTrigger Reachable Dangerous Capabilitydist/dpuse-development.es.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings