Static Scan Results
scanned 10d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/tunnels/client/_cert.jsView file
168patternName = private_key_rsa
severity = critical
line = 168
matchedText = return `...\n`;
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/tunnels/client/_cert.jsView on unpkg · L168168patternName = private_key_rsa
severity = critical
line = 168
matchedText = return `...\n`;
Critical
Secret Pattern
RSA private key in dist/tunnels/client/_cert.js
dist/tunnels/client/_cert.jsView on unpkg · L168dist/contacts/resources/vcards.jsView file
21*/
L22: async import(content, contentType = VCARD_CONTENT_TYPE) {
L23: const data = await this.http.postRaw(`${BASE}/import`, content, contentType);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/contacts/resources/vcards.jsView on unpkg · L21dist/tunnels/client/_ws_passthrough.jsView file
3*
L4: * WebSocket support for passthrough mode.
L5: *
...
L18: .update(key + WS_GUID, "ascii")
L19: .digest("base64");
L20: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/tunnels/client/_ws_passthrough.jsView on unpkg · L3Findings
2 Critical3 Medium6 Low
CriticalCritical Secretdist/tunnels/client/_cert.js
CriticalSecret Patterndist/tunnels/client/_cert.js
MediumDynamic Requiredist/contacts/resources/vcards.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/tunnels/client/_ws_passthrough.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings