registry  /  @invarn/cli  /  0.9.53

@invarn/cli@0.9.53

Invarn CLI — run builds, check artifacts, and ship from your terminal

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.42 MB of source, external domains: github.com, invarn.com, json-schema.org, schemas.android.com

Source & flagged code

6 flagged · loading source
dist/invarn.cjsView file
7depsCount: ${_0x28295c}, L8: deps: ${_0x345425}}`};var _0x90d60f={'keyword':_0x18a4ea(0x8f5),'type':'object','schemaType':_0x18a4ea(0x121c),'error':_0x31dd75[_0x18a4ea(0x6e7)],'code'(_0x389e5a){let [_0x2e775e,...
High
Child Process

Package source references child process execution.

dist/invarn.cjsView on unpkg · L7
1#!/usr/bin/env node L2: const _0x5ea3c2=_0x5d3a;(function(_0x27ebcd,_0x1da54a){const _0x304c0e=_0x5d3a,_0xdb4521=_0x27ebcd();while(!![]){try{const _0x21cf5e=-parseInt(_0x304c0e(0x1323))/0x1*(-parseInt(_0x... L3: || (${_0x529139} == "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d})`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;case _0x337fe4(0xfde):_0x5... L4: || (${_0x529139} === "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d} && !(${_0x2eb64d} % 1))`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;ca... L5: || ${_0x529139} === "boolean" || ${_0x2eb64d} === null`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`[${_0x2eb64d}]`);}}}function _0x20ec32({gen:_0x3111e0,parentData:_0x54795... L6: missingProperty: ${_0x3a9a29},
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x5ea3c2=_0x5d3a;(function(_0x27ebcd,_0x1da54a){const _0x304c0e=_0x5d3a,_0xdb4521=_0x27ebcd();while(!![]){try{const _0x21cf5e=-parseInt(_0x304c0e(0x1323))/0x1*(-parseInt(_0x... L3: || (${_0x529139} == "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d})`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;case _0x337fe4(0xfde):_0x5... L4: || (${_0x529139} === "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d} && !(${_0x2eb64d} % 1))`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;ca... L5: || ${_0x529139} === "boolean" || ${_0x2eb64d} === null`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`[${_0x2eb64d}]`);}}}function _0x20ec32({gen:_0x3111e0,parentData:_0x54795... L6: missingProperty: ${_0x3a9a29},
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x5ea3c2=_0x5d3a;(function(_0x27ebcd,_0x1da54a){const _0x304c0e=_0x5d3a,_0xdb4521=_0x27ebcd();while(!![]){try{const _0x21cf5e=-parseInt(_0x304c0e(0x1323))/0x1*(-parseInt(_0x... L3: || (${_0x529139} == "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d})`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;case _0x337fe4(0xfde):_0x5...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x5ea3c2=_0x5d3a;(function(_0x27ebcd,_0x1da54a){const _0x304c0e=_0x5d3a,_0xdb4521=_0x27ebcd();while(!![]){try{const _0x21cf5e=-parseInt(_0x304c0e(0x1323))/0x1*(-parseInt(_0x... L3: || (${_0x529139} == "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d})`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;case _0x337fe4(0xfde):_0x5...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/invarn.cjsView on unpkg · L1
4|| (${_0x529139} === "string" && ${_0x2eb64d} && ${_0x2eb64d} == +${_0x2eb64d} && !(${_0x2eb64d} % 1))`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`+${_0x2eb64d}`);return;ca... L5: || ${_0x529139} === "boolean" || ${_0x2eb64d} === null`)[_0x337fe4(0x130b)](_0x4e9d7e,(0x0,_0x16a9bf['_'])`[${_0x2eb64d}]`);}}}function _0x20ec32({gen:_0x3111e0,parentData:_0x54795... L6: missingProperty: ${_0x3a9a29},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/invarn.cjsView on unpkg · L4

Findings

5 High5 Medium6 Low
HighChild Processdist/invarn.cjs
HighSame File Env Network Executiondist/invarn.cjs
HighCommand Output Exfiltrationdist/invarn.cjs
HighObfuscated Payload Loaderdist/invarn.cjs
HighObfuscated
MediumDynamic Requiredist/invarn.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/invarn.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings