registry  /  @invarn/cli  /  0.9.34

@invarn/cli@0.9.34

Invarn CLI — run builds, check artifacts, and ship from your terminal

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.14 MB of source, external domains: github.com, invarn.com, json-schema.org

Source & flagged code

6 flagged · loading source
dist/invarn.cjsView file
1#!/usr/bin/env node L2: const _0x2c99e5=_0x2101;(function(_0x7424a0,_0x46262c){const _0x51977c=_0x2101,_0x4d3737=_0x7424a0();while(!![]){try{const _0x4b9dd8=-parseInt(_0x51977c(0xeb7))/0x1*(-parseInt(_0x5... L3: || (${_0x5585e} == "string" && ${_0x4544d9} && ${_0x4544d9} == +${_0x4544d9})`)['assign'](_0x2acf3b,(0x0,_0x4bff51['_'])`+${_0x4544d9}`);return;case'integer':_0x2b4a02[_0x2cd587(0x...
High
Child Process

Package source references child process execution.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x2c99e5=_0x2101;(function(_0x7424a0,_0x46262c){const _0x51977c=_0x2101,_0x4d3737=_0x7424a0();while(!![]){try{const _0x4b9dd8=-parseInt(_0x51977c(0xeb7))/0x1*(-parseInt(_0x5... L3: || (${_0x5585e} == "string" && ${_0x4544d9} && ${_0x4544d9} == +${_0x4544d9})`)['assign'](_0x2acf3b,(0x0,_0x4bff51['_'])`+${_0x4544d9}`);return;case'integer':_0x2b4a02[_0x2cd587(0x...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x2c99e5=_0x2101;(function(_0x7424a0,_0x46262c){const _0x51977c=_0x2101,_0x4d3737=_0x7424a0();while(!![]){try{const _0x4b9dd8=-parseInt(_0x51977c(0xeb7))/0x1*(-parseInt(_0x5... L3: || (${_0x5585e} == "string" && ${_0x4544d9} && ${_0x4544d9} == +${_0x4544d9})`)['assign'](_0x2acf3b,(0x0,_0x4bff51['_'])`+${_0x4544d9}`);return;case'integer':_0x2b4a02[_0x2cd587(0x...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x2c99e5=_0x2101;(function(_0x7424a0,_0x46262c){const _0x51977c=_0x2101,_0x4d3737=_0x7424a0();while(!![]){try{const _0x4b9dd8=-parseInt(_0x51977c(0xeb7))/0x1*(-parseInt(_0x5... L3: || (${_0x5585e} == "string" && ${_0x4544d9} && ${_0x4544d9} == +${_0x4544d9})`)['assign'](_0x2acf3b,(0x0,_0x4bff51['_'])`+${_0x4544d9}`);return;case'integer':_0x2b4a02[_0x2cd587(0x...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x2c99e5=_0x2101;(function(_0x7424a0,_0x46262c){const _0x51977c=_0x2101,_0x4d3737=_0x7424a0();while(!![]){try{const _0x4b9dd8=-parseInt(_0x51977c(0xeb7))/0x1*(-parseInt(_0x5... L3: || (${_0x5585e} == "string" && ${_0x4544d9} && ${_0x4544d9} == +${_0x4544d9})`)['assign'](_0x2acf3b,(0x0,_0x4bff51['_'])`+${_0x4544d9}`);return;case'integer':_0x2b4a02[_0x2cd587(0x...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/invarn.cjsView on unpkg · L1
4|| (${_0x5585e} === "string" && ${_0x4544d9} && ${_0x4544d9} == +${_0x4544d9} && !(${_0x4544d9} % 1))`)[_0x2cd587(0xdfc)](_0x2acf3b,(0x0,_0x4bff51['_'])`+${_0x4544d9}`);return;case... L5: || ${_0x5585e} === "boolean" || ${_0x4544d9} === null`)[_0x2cd587(0xdfc)](_0x2acf3b,(0x0,_0x4bff51['_'])`[${_0x4544d9}]`);}}}function _0x1181db({gen:_0x28fbeb,parentData:_0x13395b,... L6: missingProperty: ${_0x5e6fcb},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/invarn.cjsView on unpkg · L4

Findings

5 High4 Medium5 Low
HighChild Processdist/invarn.cjs
HighSame File Env Network Executiondist/invarn.cjs
HighCommand Output Exfiltrationdist/invarn.cjs
HighObfuscated Payload Loaderdist/invarn.cjs
HighObfuscated
MediumDynamic Requiredist/invarn.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/invarn.cjs
LowHigh Entropy Strings
LowUrl Strings