registry  /  @kmmao/happy-coder  /  0.105.0

@kmmao/happy-coder@0.105.0

⚠ Under review

Mobile and Web client for Claude Code and Codex

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 4.16 MB of source, external domains: 127.0.0.1, accounts.google.com, api.github.com, api.openai.com, auth.openai.com, claude.ai, console.anthropic.com, developers.google.com, github.com, goo.gle, happy.engineering, oauth2.googleapis.com, registry.npmjs.org, s.sangreal.code.xycloud.info, w.sangreal.code.xycloud.info, www.apple.com, www.googleapis.com

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/unpack-tools.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/happy-dev.mjsView file
2L3: import { execFileSync } from 'child_process'; L4: import { fileURLToPath } from 'url';
High
Child Process

Package source references child process execution.

bin/happy-dev.mjsView on unpkg · L2
8// Check if we're already running with the flags L9: const hasNoWarnings = process.execArgv.includes('--no-warnings'); L10: const hasNoDeprecation = process.execArgv.includes('--no-deprecation');
High
Shell

Package source references shell execution.

bin/happy-dev.mjsView on unpkg · L8
dist/taskLogWatcher-B7AxDUgP.cjsView file
2L3: var fs$1 = require('fs/promises'); L4: var fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/taskLogWatcher-B7AxDUgP.cjsView on unpkg · L2
dist/types-DRHdfrR_.mjsView file
1import{createRequire as _pkgrollCR}from"node:module";const require=_pkgrollCR(import.meta.url);import axios from 'axios'; L2: import chalk from 'chalk'; ... L10: import { io } from 'socket.io-client'; L11: import { randomBytes, createDecipheriv, createCipheriv, randomUUID as randomUUID$1 } from 'node:crypto'; L12: import tweetnacl from 'tweetnacl'; L13: import { createId } from '@paralleldrive/cuid2'; L14: import { execFile, spawn as spawn$3 } from 'node:child_process'; L15: import { promisify } from 'node:util'; ... L272: "tools", L273: "package.json" L274: ]; ... L416: this.isDaemonProcess = args.length >= 2 && args[0] === "daemon" && args[1] === "start-sync";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/types-DRHdfrR_.mjsView on unpkg · L1
dist/index-CAX-QgOI.cjsView file
28647L28648: const execAsync$1 = util.promisify(child_process.exec); L28649: const CLIENT_ID = "681255809395-[redacted].apps.googleusercontent.com"; L28650: const CLIENT_SECRET = process.env.GOOGLE_OAUTH_CLIENT_SECRET ?? ""; L28651: const AUTHORIZE_URL = "https://accounts.google.com/o/oauth2/v2/auth"; L28652: const TOKEN_URL = "https://oauth2.googleapis.com/token";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index-CAX-QgOI.cjsView on unpkg · L28647
8var api = require('./types-BT_aNQvk.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L448: } L449: const sessionData = fs.readFileSync(sessionFile, "utf-8").split("\n"); L450: const hasGoodMessage = !!sessionData.find((v, index) => { ... L3574: const attachedTerminals = /* @__PURE__ */ new Map(); L3575: let reconnectBaseUrl = null; L3576: let reconnectInflight = null;
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index-CAX-QgOI.cjsView on unpkg · L8
8Cross-file remote execution chain: dist/index-CAX-QgOI.cjs spawns dist/types-BT_aNQvk.cjs; helper contains network access plus dynamic code execution. L8: var api = require('./types-BT_aNQvk.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L15: var React = require('react'); L16: var axios = require('axios'); L17: require('node:events'); ... L436: const projectId = path.resolve(workingDirectory).replace(/[^a-zA-Z0-9-]/g, "-"); L437: const claudeConfigDir = process.env.CLAUDE_CONFIG_DIR || path.join(os.homedir(), ".claude"); L438: return path.join(claudeConfigDir, "projects", projectId); ... L452: try { L453: const parsed = JSON.parse(v); L454: return typeof parsed.uuid === "string" && parsed.uuid.length > 0 || // Claude Code 2.1.x
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index-CAX-QgOI.cjsView on unpkg · L8
8var api = require('./types-BT_aNQvk.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L15: var React = require('react'); L16: var axios = require('axios'); L17: require('node:events'); ... L436: const projectId = path.resolve(workingDirectory).replace(/[^a-zA-Z0-9-]/g, "-"); L437: const claudeConfigDir = process.env.CLAUDE_CONFIG_DIR || path.join(os.homedir(), ".claude"); L438: return path.join(claudeConfigDir, "projects", projectId); ... L452: try { L453: const parsed = JSON.parse(v); L454: return typeof parsed.uuid === "string" && parsed.uuid.length > 0 || // Claude Code 2.1.x
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index-CAX-QgOI.cjsView on unpkg · L8
tools/unpacked/ripgrep.nodeView file
path = tools/unpacked/ripgrep.node kind = native_binary sizeBytes = 8555952 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

tools/unpacked/ripgrep.nodeView on unpkg
scripts/download-tools.shView file
path = scripts/download-tools.sh kind = build_helper sizeBytes = 4241 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/download-tools.shView on unpkg
tools/archives/difftastic-arm64-linux.tar.gzView file
path = tools/archives/difftastic-arm64-linux.tar.gz kind = high_entropy_blob sizeBytes = 11425536 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

tools/archives/difftastic-arm64-linux.tar.gzView on unpkg
path = tools/archives/difftastic-arm64-linux.tar.gz kind = compressed_blob sizeBytes = 11425536 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

tools/archives/difftastic-arm64-linux.tar.gzView on unpkg
dist/config-5gSQcL2m.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @kmmao/happy-coder@0.102.10 matchedIdentity = npm:QGttbWFvL2hhcHB5LWNvZGVy:0.102.10 similarity = 0.560 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/config-5gSQcL2m.cjsView on unpkg

Findings

1 Critical7 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/config-5gSQcL2m.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/happy-dev.mjs
HighShellbin/happy-dev.mjs
HighSame File Env Network Executiondist/index-CAX-QgOI.cjs
HighRemote Agent Bridgedist/index-CAX-QgOI.cjs
HighCross File Remote Execution Contextdist/index-CAX-QgOI.cjs
HighShips High Entropy Blobtools/archives/difftastic-arm64-linux.tar.gz
MediumDynamic Requiredist/taskLogWatcher-B7AxDUgP.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index-CAX-QgOI.cjs
MediumShips Native Binarytools/unpacked/ripgrep.node
MediumShips Build Helperscripts/download-tools.sh
MediumShips Compressed Blobtools/archives/difftastic-arm64-linux.tar.gz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/types-DRHdfrR_.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings