registry  /  @explorer02/cfm-survey-sdk  /  0.4.0

@explorer02/cfm-survey-sdk@0.4.0

⚠ Under review

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 44 file(s), 877 KB of source, external domains: 43.204.26.213, custom-p0.feedbook.me, example.com, nodejs.org, placehold.co, raw.githubusercontent.com, react.dev, www.aprimo.com, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @explorer02/cfm-survey-sdk@0.3.4 matchedIdentity = npm:[redacted]:0.3.4 similarity = 0.558 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
37`),console.log(ze(i)),e.diffOnly){Y.writeFileSync(t.diffJsonPath,JSON.stringify(i,null,2),"utf8"),Y.writeFileSync(t.diffMdPath,ze(i),"utf8"),console.log(`${J.dim} Updated ${t.dif... L38: ${H.green}\u2705 Fetched final config (review mode)${H.reset}`),console.log(`${H.green} Final: ${s.finalPath}${H.reset}`),console.log(`${H.green} Diff: ${s.diffMdPath}${H.rese... L39: `);let o=await fe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L37
34} L35: `});function We(e){if(!e.config)return null;let o=JSON.parse(JSON.stringify(e.config)),n=o.global?.logo;return e.logoUrl&&n&&(n.url=e.logoUrl),o}function Yo(e){return new Promise((... L36: ${J.bold}${J.cyan}\u{1F4CB} UI config review${J.reset} L37: `),console.log(ze(i)),e.diffOnly){Y.writeFileSync(t.diffJsonPath,JSON.stringify(i,null,2),"utf8"),Y.writeFileSync(t.diffMdPath,ze(i),"utf8"),console.log(`${J.dim} Updated ${t.dif... L38: ${H.green}\u2705 Fetched final config (review mode)${H.reset}`),console.log(`${H.green} Final: ${s.finalPath}${H.reset}`),console.log(`${H.green} Diff: ${s.diffMdPath}${H.rese... L39: `);let o=await fe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L34
34} L35: `});function We(e){if(!e.config)return null;let o=JSON.parse(JSON.stringify(e.config)),n=o.global?.logo;return e.logoUrl&&n&&(n.url=e.logoUrl),o}function Yo(e){return new Promise((... L36: ${J.bold}${J.cyan}\u{1F4CB} UI config review${J.reset} L37: `),console.log(ze(i)),e.diffOnly){Y.writeFileSync(t.diffJsonPath,JSON.stringify(i,null,2),"utf8"),Y.writeFileSync(t.diffMdPath,ze(i),"utf8"),console.log(`${J.dim} Updated ${t.dif... L38: ${H.green}\u2705 Fetched final config (review mode)${H.reset}`),console.log(`${H.green} Final: ${s.finalPath}${H.reset}`),console.log(`${H.green} Diff: ${s.diffMdPath}${H.rese... L39: `);let o=await fe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L34
37`),console.log(ze(i)),e.diffOnly){Y.writeFileSync(t.diffJsonPath,JSON.stringify(i,null,2),"utf8"),Y.writeFileSync(t.diffMdPath,ze(i),"utf8"),console.log(`${J.dim} Updated ${t.dif... L38: ${H.green}\u2705 Fetched final config (review mode)${H.reset}`),console.log(`${H.green} Final: ${s.finalPath}${H.reset}`),console.log(`${H.green} Diff: ${s.diffMdPath}${H.rese... L39: `);let o=await fe("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");o.toLowerCase()==="y"||o.toLowerCase()==="yes"||(console.log(`
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L37
dist/index.jsView file
1"use strict";var kt=Object.defineProperty;var qo=Object.getOwnPropertyDescriptor;var Bo=Object.getOwnPropertyNames;var Ho=Object.prototype.hasOwnProperty;var Xo=(e,t)=>{for(var r i...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
templates/docs/templates/verify-agent-build.shView file
path = templates/docs/templates/verify-agent-build.sh kind = build_helper sizeBytes = 9137 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docs/templates/verify-agent-build.shView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docs/templates/verify-agent-build.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License