registry  /  @invarn/cli  /  0.9.57

@invarn/cli@0.9.57

Invarn CLI — run builds, check artifacts, and ship from your terminal

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.51 MB of source, external domains: invarn.com, json-schema.org

Source & flagged code

6 flagged · loading source
dist/invarn.cjsView file
7depsCount: ${_0x107434}, L8: deps: ${_0x398f7e}}`};var _0xbc7667={'keyword':_0x2d1ac8(0x26a),'type':_0x2d1ac8(0x1358),'schemaType':_0x2d1ac8(0x1358),'error':_0xf50265[_0x2d1ac8(0x7ad)],'code'(_0x504cb4){let [_...
High
Child Process

Package source references child process execution.

dist/invarn.cjsView on unpkg · L7
1#!/usr/bin/env node L2: const _0x55bb72=_0x35f7;(function(_0x4bffc1,_0x589622){const _0x1b79d3=_0x35f7,_0x477203=_0x4bffc1();while(!![]){try{const _0x3f3920=-parseInt(_0x1b79d3(0xbd7))/0x1+-parseInt(_0x1b... L3: || (${_0x4f8ece} == "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d})`)['assign'](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;case _0x33c010(0x3aa):_0x42c939['el... L4: || (${_0x4f8ece} === "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d} && !(${_0x3e5b9d} % 1))`)[_0x33c010(0xd15)](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;cas... L5: || ${_0x4f8ece} === "boolean" || ${_0x3e5b9d} === null`)[_0x33c010(0xd15)](_0x264339,(0x0,_0x572169['_'])`[${_0x3e5b9d}]`);}}}function _0x47db7f({gen:_0x19139e,parentData:_0xdceb96... L6: missingProperty: ${_0x3c8fae},
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x55bb72=_0x35f7;(function(_0x4bffc1,_0x589622){const _0x1b79d3=_0x35f7,_0x477203=_0x4bffc1();while(!![]){try{const _0x3f3920=-parseInt(_0x1b79d3(0xbd7))/0x1+-parseInt(_0x1b... L3: || (${_0x4f8ece} == "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d})`)['assign'](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;case _0x33c010(0x3aa):_0x42c939['el... L4: || (${_0x4f8ece} === "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d} && !(${_0x3e5b9d} % 1))`)[_0x33c010(0xd15)](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;cas... L5: || ${_0x4f8ece} === "boolean" || ${_0x3e5b9d} === null`)[_0x33c010(0xd15)](_0x264339,(0x0,_0x572169['_'])`[${_0x3e5b9d}]`);}}}function _0x47db7f({gen:_0x19139e,parentData:_0xdceb96... L6: missingProperty: ${_0x3c8fae},
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x55bb72=_0x35f7;(function(_0x4bffc1,_0x589622){const _0x1b79d3=_0x35f7,_0x477203=_0x4bffc1();while(!![]){try{const _0x3f3920=-parseInt(_0x1b79d3(0xbd7))/0x1+-parseInt(_0x1b... L3: || (${_0x4f8ece} == "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d})`)['assign'](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;case _0x33c010(0x3aa):_0x42c939['el...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/invarn.cjsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x55bb72=_0x35f7;(function(_0x4bffc1,_0x589622){const _0x1b79d3=_0x35f7,_0x477203=_0x4bffc1();while(!![]){try{const _0x3f3920=-parseInt(_0x1b79d3(0xbd7))/0x1+-parseInt(_0x1b... L3: || (${_0x4f8ece} == "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d})`)['assign'](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;case _0x33c010(0x3aa):_0x42c939['el...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/invarn.cjsView on unpkg · L1
4|| (${_0x4f8ece} === "string" && ${_0x3e5b9d} && ${_0x3e5b9d} == +${_0x3e5b9d} && !(${_0x3e5b9d} % 1))`)[_0x33c010(0xd15)](_0x264339,(0x0,_0x572169['_'])`+${_0x3e5b9d}`);return;cas... L5: || ${_0x4f8ece} === "boolean" || ${_0x3e5b9d} === null`)[_0x33c010(0xd15)](_0x264339,(0x0,_0x572169['_'])`[${_0x3e5b9d}]`);}}}function _0x47db7f({gen:_0x19139e,parentData:_0xdceb96... L6: missingProperty: ${_0x3c8fae},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/invarn.cjsView on unpkg · L4

Findings

5 High4 Medium6 Low
HighChild Processdist/invarn.cjs
HighSame File Env Network Executiondist/invarn.cjs
HighCommand Output Exfiltrationdist/invarn.cjs
HighObfuscated Payload Loaderdist/invarn.cjs
HighObfuscated
MediumDynamic Requiredist/invarn.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/invarn.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings