registry  /  @kmmao/happy-coder  /  0.102.14

@kmmao/happy-coder@0.102.14

⚠ Under review

Mobile and Web client for Claude Code and Codex

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 22 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 4.06 MB of source, external domains: 127.0.0.1, accounts.google.com, api.github.com, api.openai.com, auth.openai.com, claude.ai, console.anthropic.com, developers.google.com, github.com, goo.gle, happy.engineering, oauth2.googleapis.com, registry.npmjs.org, s.sangreal.code.xycloud.info, w.sangreal.code.xycloud.info, www.apple.com, www.googleapis.com

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/unpack-tools.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/happy-dev.mjsView file
2L3: import { execFileSync } from 'child_process'; L4: import { fileURLToPath } from 'url';
High
Child Process

Package source references child process execution.

bin/happy-dev.mjsView on unpkg · L2
8// Check if we're already running with the flags L9: const hasNoWarnings = process.execArgv.includes('--no-warnings'); L10: const hasNoDeprecation = process.execArgv.includes('--no-deprecation');
High
Shell

Package source references shell execution.

bin/happy-dev.mjsView on unpkg · L8
dist/config-CEoWusje.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @kmmao/happy-coder@0.102.10 matchedIdentity = npm:QGttbWFvL2hhcHB5LWNvZGVy:0.102.10 similarity = 0.640 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/config-CEoWusje.cjsView on unpkg
2L3: var fs = require('fs'); L4: var path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config-CEoWusje.cjsView on unpkg · L2
dist/index-D4fTyLjR.cjsView file
27996L27997: const execAsync$1 = util.promisify(child_process.exec); L27998: const CLIENT_ID = "681255809395-[redacted].apps.googleusercontent.com"; L27999: const CLIENT_SECRET = process.env.GOOGLE_OAUTH_CLIENT_SECRET ?? ""; L28000: const AUTHORIZE_URL = "https://accounts.google.com/o/oauth2/v2/auth"; L28001: const TOKEN_URL = "https://oauth2.googleapis.com/token";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index-D4fTyLjR.cjsView on unpkg · L27996
8var api = require('./types-DH_Vitvo.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L421: } L422: const sessionData = fs.readFileSync(sessionFile, "utf-8").split("\n"); L423: const hasGoodMessage = !!sessionData.find((v, index) => { ... L3476: const attachedTerminals = /* @__PURE__ */ new Map(); L3477: let reconnectBaseUrl = null; L3478: let reconnectInflight = null;
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index-D4fTyLjR.cjsView on unpkg · L8
8Cross-file remote execution chain: dist/index-D4fTyLjR.cjs spawns dist/runCodex-Dtp490Mt.cjs; helper contains network access plus dynamic code execution. L8: var api = require('./types-DH_Vitvo.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L15: var React = require('react'); L16: var axios = require('axios'); L17: require('node:events'); ... L409: const projectId = path.resolve(workingDirectory).replace(/[^a-zA-Z0-9-]/g, "-"); L410: const claudeConfigDir = process.env.CLAUDE_CONFIG_DIR || path.join(os.homedir(), ".claude"); L411: return path.join(claudeConfigDir, "projects", projectId); ... L425: try { L426: const parsed = JSON.parse(v); L427: return typeof parsed.uuid === "string" && parsed.uuid.length > 0 || // Claude Code 2.1.x
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index-D4fTyLjR.cjsView on unpkg · L8
8var api = require('./types-DH_Vitvo.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L15: var React = require('react'); L16: var axios = require('axios'); L17: require('node:events'); ... L409: const projectId = path.resolve(workingDirectory).replace(/[^a-zA-Z0-9-]/g, "-"); L410: const claudeConfigDir = process.env.CLAUDE_CONFIG_DIR || path.join(os.homedir(), ".claude"); L411: return path.join(claudeConfigDir, "projects", projectId); ... L425: try { L426: const parsed = JSON.parse(v); L427: return typeof parsed.uuid === "string" && parsed.uuid.length > 0 || // Claude Code 2.1.x
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index-D4fTyLjR.cjsView on unpkg · L8
8var api = require('./types-DH_Vitvo.cjs'); L9: var node_child_process = require('node:child_process'); L10: var node_readline = require('node:readline'); ... L15: var React = require('react'); L16: var axios = require('axios'); L17: require('node:events'); ... L409: const projectId = path.resolve(workingDirectory).replace(/[^a-zA-Z0-9-]/g, "-"); L410: const claudeConfigDir = process.env.CLAUDE_CONFIG_DIR || path.join(os.homedir(), ".claude"); L411: return path.join(claudeConfigDir, "projects", projectId); ... L425: try { L426: const parsed = JSON.parse(v); L427: return typeof parsed.uuid === "string" && parsed.uuid.length > 0 || // Claude Code 2.1.x
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index-D4fTyLjR.cjsView on unpkg · L8
tools/unpacked/ripgrep.nodeView file
path = tools/unpacked/ripgrep.node kind = native_binary sizeBytes = 8555952 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

tools/unpacked/ripgrep.nodeView on unpkg
scripts/download-tools.shView file
path = scripts/download-tools.sh kind = build_helper sizeBytes = 4241 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/download-tools.shView on unpkg
tools/archives/difftastic-arm64-linux.tar.gzView file
path = tools/archives/difftastic-arm64-linux.tar.gz kind = high_entropy_blob sizeBytes = 11425536 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

tools/archives/difftastic-arm64-linux.tar.gzView on unpkg
path = tools/archives/difftastic-arm64-linux.tar.gz kind = compressed_blob sizeBytes = 11425536 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

tools/archives/difftastic-arm64-linux.tar.gzView on unpkg

Findings

1 Critical7 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/config-CEoWusje.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/happy-dev.mjs
HighShellbin/happy-dev.mjs
HighSame File Env Network Executiondist/index-D4fTyLjR.cjs
HighRemote Agent Bridgedist/index-D4fTyLjR.cjs
HighCross File Remote Execution Contextdist/index-D4fTyLjR.cjs
HighShips High Entropy Blobtools/archives/difftastic-arm64-linux.tar.gz
MediumDynamic Requiredist/config-CEoWusje.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index-D4fTyLjR.cjs
MediumShips Native Binarytools/unpacked/ripgrep.node
MediumShips Build Helperscripts/download-tools.sh
MediumShips Compressed Blobtools/archives/difftastic-arm64-linux.tar.gz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index-D4fTyLjR.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings