registry  /  @explorer02/cfm-survey-sdk  /  0.2.4

@explorer02/cfm-survey-sdk@0.2.4

⚠ Under review

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 37 file(s), 757 KB of source, external domains: 43.204.26.213, custom-p0.feedbook.me, example.com, nodejs.org, placehold.co, raw.githubusercontent.com, react.dev, www.aprimo.com, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @explorer02/cfm-survey-sdk@0.2.3 matchedIdentity = npm:[redacted]:0.2.3 similarity = 0.545 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
5`),console.log(Te(s)),e.diffOnly){H.writeFileSync(t.diffJsonPath,JSON.stringify(s,null,2),"utf8"),H.writeFileSync(t.diffMdPath,Te(s),"utf8"),console.log(`${z.dim} Updated ${t.dif... L6: ${M.green}\u2705 Fetched final config (review mode)${M.reset}`),console.log(`${M.green} Final: ${r.finalPath}${M.reset}`),console.log(`${M.green} Diff: ${r.diffMdPath}${M.rese... L7: `);let o=await oe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L5
1#!/usr/bin/env node L2: "use strict";var _o=Object.create;var Ie=Object.defineProperty;var Do=Object.getOwnPropertyDescriptor;var Oo=Object.getOwnPropertyNames;var Lo=Object.getPrototypeOf,Mo=Object.proto... L3: `)}function K(e){return{seedPath:le.join(e,"survey-ui-config.seed.json"),finalPath:le.join(e,"survey-ui-config.final.json"),diffJsonPath:le.join(e,"survey-ui-config.diff.json"),dif... L4: ${z.bold}${z.cyan}\u{1F4CB} UI config review${z.reset} L5: `),console.log(Te(s)),e.diffOnly){H.writeFileSync(t.diffJsonPath,JSON.stringify(s,null,2),"utf8"),H.writeFileSync(t.diffMdPath,Te(s),"utf8"),console.log(`${z.dim} Updated ${t.dif... L6: ${M.green}\u2705 Fetched final config (review mode)${M.reset}`),console.log(`${M.green} Final: ${r.finalPath}${M.reset}`),console.log(`${M.green} Diff: ${r.diffMdPath}${M.rese... L7: `);let o=await oe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: "use strict";var _o=Object.create;var Ie=Object.defineProperty;var Do=Object.getOwnPropertyDescriptor;var Oo=Object.getOwnPropertyNames;var Lo=Object.getPrototypeOf,Mo=Object.proto... L3: `)}function K(e){return{seedPath:le.join(e,"survey-ui-config.seed.json"),finalPath:le.join(e,"survey-ui-config.final.json"),diffJsonPath:le.join(e,"survey-ui-config.diff.json"),dif... L4: ${z.bold}${z.cyan}\u{1F4CB} UI config review${z.reset} L5: `),console.log(Te(s)),e.diffOnly){H.writeFileSync(t.diffJsonPath,JSON.stringify(s,null,2),"utf8"),H.writeFileSync(t.diffMdPath,Te(s),"utf8"),console.log(`${z.dim} Updated ${t.dif... L6: ${M.green}\u2705 Fetched final config (review mode)${M.reset}`),console.log(`${M.green} Final: ${r.finalPath}${M.reset}`),console.log(`${M.green} Diff: ${r.diffMdPath}${M.rese... L7: `);let o=await oe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L1
5`),console.log(Te(s)),e.diffOnly){H.writeFileSync(t.diffJsonPath,JSON.stringify(s,null,2),"utf8"),H.writeFileSync(t.diffMdPath,Te(s),"utf8"),console.log(`${z.dim} Updated ${t.dif... L6: ${M.green}\u2705 Fetched final config (review mode)${M.reset}`),console.log(`${M.green} Final: ${r.finalPath}${M.reset}`),console.log(`${M.green} Diff: ${r.diffMdPath}${M.rese... L7: `);let o=await oe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L5
dist/index.jsView file
1"use strict";var kt=Object.defineProperty;var qo=Object.getOwnPropertyDescriptor;var Bo=Object.getOwnPropertyNames;var Ho=Object.prototype.hasOwnProperty;var Xo=(e,t)=>{for(var r i...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
templates/docs/templates/verify-agent-build.shView file
path = templates/docs/templates/verify-agent-build.sh kind = build_helper sizeBytes = 7848 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docs/templates/verify-agent-build.shView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docs/templates/verify-agent-build.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License