registry  /  @jheavenknows/bluerouter  /  5.0.62

@jheavenknows/bluerouter@5.0.62

Bluerouter CLI - Start and manage Bluerouter server

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 26 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 547 KB of source, external domains: 127.0.0.1, 172.16.6.8, api.example.com, www.apple.com

Source & flagged code

17 flagged · loading source
package.jsonView file
scripts.postinstall = node hooks/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node hooks/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
app/.next-cli-build/server/chunks/4306.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

app/.next-cli-build/server/chunks/4306.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Secret Pattern

RSA private key in app/.next-cli-build/server/chunks/4306.js

app/.next-cli-build/server/chunks/4306.jsView on unpkg · L1
app/src/mitm/server.jsView file
24Private-MAC: `+B.digest().toHex()+`\r L25: `,s};Sa.publicKeyToOpenSSH=function(e,t){var a="ssh-rsa";t=t||"";var r=xe.util.createBuffer();return Cr(r,a),St(r,e.e),St(r,e.n),a+" "+xe.util.encode64(r.bytes())+" "+t};Sa.private... L26: `}function Vn(e){return ge.md.sha256.create().update(ge.pki.publicKeyToPem(e),"utf8").digest().toHex()}function bf(e){if(!e?.n||!e?.e)throw new Error("Only RSA private keys are sup...
High
Child Process

Package source references child process execution.

app/src/mitm/server.jsView on unpkg · L24
41subjectKeyIdentifier = hash L42: `,o=Ta();j.writeFileSync(Dn,i,"utf8");try{On("openssl",["genrsa","-out",Xe,"4096"],{stdio:["ignore","pipe","pipe"]}),On("openssl",["req","-new","-key",Xe,"-out",Tt,"-config",Dn],{s... L43: [ERROR] ${i.message} ... L48: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function pd(e){let t=e.toolU... L49: `);n=c.pop()??"";for(let f of c){let y=f.trim();if(!y.startsWith("data:"))continue;let m=y.slice(5).trim();if(m==="[DONE]"){o();continue}let g;try{g=JSON.parse(m)}catch{continue}le... L50: $proc = Start-Process powershell -ArgumentList @(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

app/src/mitm/server.jsView on unpkg · L41
41subjectKeyIdentifier = hash L42: `,o=Ta();j.writeFileSync(Dn,i,"utf8");try{On("openssl",["genrsa","-out",Xe,"4096"],{stdio:["ignore","pipe","pipe"]}),On("openssl",["req","-new","-key",Xe,"-out",Tt,"-config",Dn],{s... L43: [ERROR] ${i.message} ... L48: `);t.push({role:"tool",tool_call_id:n.toolUseId||"",content:s})}let r=(e.content||"").trim();return(r||a.length===0)&&t.push({role:"user",content:r}),t}function pd(e){let t=e.toolU... L49: `);n=c.pop()??"";for(let f of c){let y=f.trim();if(!y.startsWith("data:"))continue;let m=y.slice(5).trim();if(m==="[DONE]"){o();continue}let g;try{g=JSON.parse(m)}catch{continue}le... L50: $proc = Start-Process powershell -ArgumentList @(
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

app/src/mitm/server.jsView on unpkg · L41
cli.jsView file
781if (process.platform === "win32") { L782: const psCmd = `powershell -NonInteractive -WindowStyle Hidden -Command "Get-WmiObject Win32_Process -Filter 'Name=\\"cloudflared.exe\\"' | Select-Object ProcessId,CommandLine | Con... L783: const output = execSync(psCmd, { encoding: "utf8", windowsHide: true, timeout: 5000 });
High
Shell

Package source references shell execution.

cli.jsView on unpkg · L781
2Cross-file remote execution chain: cli.js spawns app/src/mitm/server.js; helper contains network access plus dynamic code execution. L2: L3: const { spawn, exec, execSync } = require("child_process"); L4: const path = require("path"); L5: const fs = require("fs"); L6: const https = require("https"); L7: const os = require("os"); ... L16: start() { L17: if (process.stdout.isTTY) { L18: process.stdout.write(`\r${frames[0]} ${currentText}`); L19: interval = setInterval(() => { ... L44: L45: const pkg = require("./package.json");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

cli.jsView on unpkg · L2
2L3: const { spawn, exec, execSync } = require("child_process"); L4: const path = require("path"); L5: const fs = require("fs"); L6: const https = require("https"); L7: const os = require("os"); ... L16: start() { L17: if (process.stdout.isTTY) { L18: process.stdout.write(`\r${frames[0]} ${currentText}`); L19: interval = setInterval(() => { ... L44: L45: const pkg = require("./package.json");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

cli.jsView on unpkg · L2
app/server.jsView file
1const path = require('path') L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

app/server.jsView on unpkg · L1
app/src/lib/updater/updater.jsView file
1// Standalone detached updater process. L2: // Spawns `npm i -g <pkg>@latest`, exposes progress via tiny HTTP server. L3: // Survives after parent Next server exits (detached + unref by spawner). L4: L5: const { spawn } = require("child_process"); L6: const http = require("http");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

app/src/lib/updater/updater.jsView on unpkg · L1
src/cli/tray/tray.ps1View file
path = src/cli/tray/tray.ps1 kind = build_helper sizeBytes = 2663 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/cli/tray/tray.ps1View on unpkg
app/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2View file
path = app/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2 kind = high_entropy_blob sizeBytes = 3962536 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

app/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2View on unpkg
app/.next-cli-build/server/chunks/6053.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = ${a.mess...}}};
Medium
Secret Pattern

Hardcoded password in app/.next-cli-build/server/chunks/6053.js

app/.next-cli-build/server/chunks/6053.jsView on unpkg · L2
app/.next-cli-build/server/chunks/402.jsView file
15patternName = generic_password severity = medium line = 15 matchedText = GROUP BY...ec(`
Medium
Secret Pattern

Hardcoded password in app/.next-cli-build/server/chunks/402.js

app/.next-cli-build/server/chunks/402.jsView on unpkg · L15
app/.next-cli-build/server/chunks/8971.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...}}};
Critical
Secret Pattern

RSA private key in app/.next-cli-build/server/chunks/8971.js

app/.next-cli-build/server/chunks/8971.jsView on unpkg · L1

Findings

3 Critical8 High9 Medium6 Low
CriticalCritical Secretapp/.next-cli-build/server/chunks/4306.js
CriticalSecret Patternapp/.next-cli-build/server/chunks/4306.js
CriticalSecret Patternapp/.next-cli-build/server/chunks/8971.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processapp/src/mitm/server.js
HighShellcli.js
HighSame File Env Network Executionapp/src/mitm/server.js
HighCommand Output Exfiltrationapp/src/mitm/server.js
HighCross File Remote Execution Contextcli.js
HighRuntime Package Installapp/src/lib/updater/updater.js
HighShips High Entropy Blobapp/.next-cli-build/static/media/material-symbols-outlined.ec1fa111.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireapp/server.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencecli.js
MediumShips Build Helpersrc/cli/tray/tray.ps1
MediumStructural Risk Force Deep Review
MediumSecret Patternapp/.next-cli-build/server/chunks/6053.js
MediumSecret Patternapp/.next-cli-build/server/chunks/402.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings