19if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
...
L30: `," ")}function Xf(e){if(!H(e))return;let n=E(e.payload)??{},t=E(e.actor),r=Q(e.seq),o=h(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:h(t?.kind),actorSlug:h(t...
L31: `)}function eE(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function Hx(e,n){let t=await Wx(e,n),r=Zx(n.body,t,{uploadInstructionMode:"footer"}),o=t...
L32: `)}function _W(e,n){let t=bW(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function wW(e,n){return h(e.kind)==="codex_assistant_message"?{...e...
CriticalSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/index.jsView on unpkg · L19 2const require = createRequire(import.meta.url);
L3: var jK=Object.create;var Ix=Object.defineProperty;var LK=Object.getOwnPropertyDescriptor;var zK=Object.getOwnPropertyNames;var FK=Object.getPrototypeOf,qK=Object.prototype.hasOwnPr...
L4: const { workerData, parentPort } = require('node:worker_threads');
...
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function kV(e){return Object.fromEntries(Object.entri...
L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return H(t)?[t]:[]}catch{return[]}})}catch{return[]}}function LV(e){return e.flatMap((n,t)=>{if(n.type!=="response_i...
...
L27: ${u}`.split(`
L28: `).filter(c=>c.trim()!=="")}catch{return[]}final
CriticalRemote Asset Decode Execute
Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/index.jsView on unpkg · L2 19Trigger-reachable chain: manifest.bin -> bin/linzumi.js -> dist/index.js
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
...
L30: `," ")}function Xf(e){if(!H(e))return;let n=E(e.payload)??{},t=E(e.actor),r=Q(e.seq),o=h(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:h(t?.kind),actorSlug:h(t...
L31: `)}function eE(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function Hx(e,n){let t=await Wx(e,n),r=Zx(n.body,t,{uploadInstructionMode:"footer"}),o=t...
L32: `)}function _W(e,n){let t=bW(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function wW(e,n){return h(e.kind)==="codex_assistant_message"?{...e...
CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L19 19if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
HighChild Process
Package source references child process execution.
dist/index.jsView on unpkg · L19 1097|| (${s} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(a,(0,Xe._)`+${o}`);return;case"boolean":r.elseIf((0,Xe._)`${o} === "false" || ${o} === 0 || ${o} === null`)....
L1098: || ${s} === "boolean" || ${o} === null`).assign(a,(0,Xe._)`[${o}]`)}}}function vwe({gen:e,parentData:n,parentDataProperty:t},r){e.if((0,Xe._)`${n} !== undefined`,()=>e.assign((0,Xe...
L1099: missingProperty: ${r},
19if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
...
L30: `," ")}function Xf(e){if(!H(e))return;let n=E(e.payload)??{},t=E(e.actor),r=Q(e.seq),o=h(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:h(t?.kind),actorSlug:h(t...
L31: `)}function eE(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function Hx(e,n){let t=await Wx(e,n),r=Zx(n.body,t,{uploadInstructionMode:"footer"}),o=t...
L32: `)}function _W(e,n){let t=bW(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function wW(e,n){return h(e.kind)==="codex_assistant_message"?{...e...
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L19 2const require = createRequire(import.meta.url);
L3: var jK=Object.create;var Ix=Object.defineProperty;var LK=Object.getOwnPropertyDescriptor;var zK=Object.getOwnPropertyNames;var FK=Object.getPrototypeOf,qK=Object.prototype.hasOwnPr...
L4: const { workerData, parentPort } = require('node:worker_threads');
...
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function kV(e){return Object.fromEntries(Object.entri...
L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return H(t)?[t]:[]}catch{return[]}})}catch{return[]}}function LV(e){return e.flatMap((n,t)=>{if(n.type!=="response_i...
...
L27: ${u}`.split(`
L28: `).filter(c=>c.trim()!=="")}catch{return[]}final
HighSandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L2 2Cross-file remote execution chain: dist/index.js spawns dist/mcp-server.mjs; helper contains network access plus dynamic code execution.
L2: const require = createRequire(import.meta.url);
L3: var jK=Object.create;var Ix=Object.defineProperty;var LK=Object.getOwnPropertyDescriptor;var zK=Object.getOwnPropertyNames;var FK=Object.getPrototypeOf,qK=Object.prototype.hasOwnPr...
L4: const { workerData, parentPort } = require('node:worker_threads');
...
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var yR={};Zs(yR,{discoverCurrentGitProject:()=>iV});import{spawnSync as XK}from"node:child_process";import{homedir as YK}from"node:os";import{existsSync as lR,readdirSync as pR...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function SV(e){let n=["README.md","README.markdown","readme.md"].map(t=>Td(e,t)).find(t=>lR(t));if(n!==void 0)try{let r=eV(...
L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function kV(e){return Object.fromEntries(Object.entri...
L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return H(t)?[t]:[]}catch{return[]}})}catch{return[]}}funct…
HighCross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L2