registry  /  @invarn/cli  /  0.9.47

@invarn/cli@0.9.47

Invarn CLI — run builds, check artifacts, and ship from your terminal

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.37 MB of source, external domains: json-schema.org

Source & flagged code

6 flagged · loading source
dist/invarn.cjsView file
7depsCount: ${_0x5880f1}, L8: deps: ${_0x111e00}}`};var _0xcb0076={'keyword':_0x3113b8(0xa13),'type':_0x3113b8(0x6ed),'schemaType':_0x3113b8(0x6ed),'error':_0x18b67d[_0x3113b8(0x5b1)],'code'(_0x247ecc){let [_0x...
High
Child Process

Package source references child process execution.

dist/invarn.cjsView on unpkg · L7
1#!/usr/bin/env node L2: const _0x217894=_0x5555;(function(_0x2426c2,_0x4d3340){const _0x5e7aff=_0x5555,_0x5bdc2c=_0x2426c2();while(!![]){try{const _0x5d5579=-parseInt(_0x5e7aff(0x365))/0x1*(parseInt(_0x5e... L3: || (${_0x419d28} == "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a})`)['assign'](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;case _0x61eec4(0xd1f):_0x50c485[_0x... L4: || (${_0x419d28} === "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a} && !(${_0xfb540a} % 1))`)[_0x61eec4(0x810)](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;cas... L5: || ${_0x419d28} === "boolean" || ${_0xfb540a} === null`)[_0x61eec4(0x810)](_0x43fc34,(0x0,_0x2720fe['_'])`[${_0xfb540a}]`);}}}function _0x46b13a({gen:_0xdf66fc,parentData:_0x1ee8f6... L6: missingProperty: ${_0x50d35c},
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x217894=_0x5555;(function(_0x2426c2,_0x4d3340){const _0x5e7aff=_0x5555,_0x5bdc2c=_0x2426c2();while(!![]){try{const _0x5d5579=-parseInt(_0x5e7aff(0x365))/0x1*(parseInt(_0x5e... L3: || (${_0x419d28} == "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a})`)['assign'](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;case _0x61eec4(0xd1f):_0x50c485[_0x... L4: || (${_0x419d28} === "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a} && !(${_0xfb540a} % 1))`)[_0x61eec4(0x810)](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;cas... L5: || ${_0x419d28} === "boolean" || ${_0xfb540a} === null`)[_0x61eec4(0x810)](_0x43fc34,(0x0,_0x2720fe['_'])`[${_0xfb540a}]`);}}}function _0x46b13a({gen:_0xdf66fc,parentData:_0x1ee8f6... L6: missingProperty: ${_0x50d35c},
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x217894=_0x5555;(function(_0x2426c2,_0x4d3340){const _0x5e7aff=_0x5555,_0x5bdc2c=_0x2426c2();while(!![]){try{const _0x5d5579=-parseInt(_0x5e7aff(0x365))/0x1*(parseInt(_0x5e... L3: || (${_0x419d28} == "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a})`)['assign'](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;case _0x61eec4(0xd1f):_0x50c485[_0x...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x217894=_0x5555;(function(_0x2426c2,_0x4d3340){const _0x5e7aff=_0x5555,_0x5bdc2c=_0x2426c2();while(!![]){try{const _0x5d5579=-parseInt(_0x5e7aff(0x365))/0x1*(parseInt(_0x5e... L3: || (${_0x419d28} == "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a})`)['assign'](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;case _0x61eec4(0xd1f):_0x50c485[_0x...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/invarn.cjsView on unpkg · L1
4|| (${_0x419d28} === "string" && ${_0xfb540a} && ${_0xfb540a} == +${_0xfb540a} && !(${_0xfb540a} % 1))`)[_0x61eec4(0x810)](_0x43fc34,(0x0,_0x2720fe['_'])`+${_0xfb540a}`);return;cas... L5: || ${_0x419d28} === "boolean" || ${_0xfb540a} === null`)[_0x61eec4(0x810)](_0x43fc34,(0x0,_0x2720fe['_'])`[${_0xfb540a}]`);}}}function _0x46b13a({gen:_0xdf66fc,parentData:_0x1ee8f6... L6: missingProperty: ${_0x50d35c},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/invarn.cjsView on unpkg · L4

Findings

5 High4 Medium6 Low
HighChild Processdist/invarn.cjs
HighSame File Env Network Executiondist/invarn.cjs
HighCommand Output Exfiltrationdist/invarn.cjs
HighObfuscated Payload Loaderdist/invarn.cjs
HighObfuscated
MediumDynamic Requiredist/invarn.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/invarn.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings