19if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
...
L30: `," ")}function Fl(e){if(!ae(e))return;let n=q(e.payload)??{},t=q(e.actor),r=de(e.seq),o=m(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:m(t?.kind),actorSlug:m...
L31: `)}function US(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function Sg(e,n){let t=await wg(e,n),r=_g(n.body,t,{uploadInstructionMode:"footer"}),o=t...
L32: `)}function a9(e,n){let t=o9(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function i9(e,n){return m(e.kind)==="codex_assistant_message"?{...e...
CriticalSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/index.jsView on unpkg · L19 2const require = createRequire(import.meta.url);
L3: var kL=Object.create;var rg=Object.defineProperty;var CL=Object.getOwnPropertyDescriptor;var PL=Object.getOwnPropertyNames;var TL=Object.getPrototypeOf,IL=Object.prototype.hasOwnPr...
L4: const { workerData, parentPort } = require('node:worker_threads');
...
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function fF(e){return Object.fromEntries(Object.entri...
L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return ae(t)?[t]:[]}catch{return[]}})}catch{return[]}}function CF(e){return e.flatMap((n,t)=>{if(n.type!=="response_...
...
L27: ${u}`.split(`
L28: `).filter(c=>c.trim()!=="")}catch{return[]}final
CriticalRemote Asset Decode Execute
Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/index.jsView on unpkg · L2 19Trigger-reachable chain: manifest.bin -> bin/linzumi.js -> dist/index.js
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
...
L30: `," ")}function Fl(e){if(!ae(e))return;let n=q(e.payload)??{},t=q(e.actor),r=de(e.seq),o=m(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:m(t?.kind),actorSlug:m...
L31: `)}function US(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function Sg(e,n){let t=await wg(e,n),r=_g(n.body,t,{uploadInstructionMode:"footer"}),o=t...
L32: `)}function a9(e,n){let t=o9(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function i9(e,n){return m(e.kind)==="codex_assistant_message"?{...e...
CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L19 •matchType = previous_version_dangerous_delta
matchedPackage = @linzumi/cli@1.0.8
matchedIdentity = npm:QGxpbnp1bWkvY2xp:1.0.8
similarity = 0.917
summary = stored previous version shares package body but lacks this dangerous source file
CriticalPrevious Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg 19if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
HighChild Process
Package source references child process execution.
dist/index.jsView on unpkg · L19 19if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
...
L30: `," ")}function Fl(e){if(!ae(e))return;let n=q(e.payload)??{},t=q(e.actor),r=de(e.seq),o=m(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:m(t?.kind),actorSlug:m...
L31: `)}function US(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function Sg(e,n){let t=await wg(e,n),r=_g(n.body,t,{uploadInstructionMode:"footer"}),o=t...
L32: `)}function a9(e,n){let t=o9(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function i9(e,n){return m(e.kind)==="codex_assistant_message"?{...e...
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L19 2const require = createRequire(import.meta.url);
L3: var kL=Object.create;var rg=Object.defineProperty;var CL=Object.getOwnPropertyDescriptor;var PL=Object.getOwnPropertyNames;var TL=Object.getPrototypeOf,IL=Object.prototype.hasOwnPr...
L4: const { workerData, parentPort } = require('node:worker_threads');
...
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function fF(e){return Object.fromEntries(Object.entri...
L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return ae(t)?[t]:[]}catch{return[]}})}catch{return[]}}function CF(e){return e.flatMap((n,t)=>{if(n.type!=="response_...
...
L27: ${u}`.split(`
L28: `).filter(c=>c.trim()!=="")}catch{return[]}final
HighSandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L2 2Cross-file remote execution chain: dist/index.js spawns dist/mcp-server.mjs; helper contains network access plus dynamic code execution.
L2: const require = createRequire(import.meta.url);
L3: var kL=Object.create;var rg=Object.defineProperty;var CL=Object.getOwnPropertyDescriptor;var PL=Object.getOwnPropertyNames;var TL=Object.getPrototypeOf,IL=Object.prototype.hasOwnPr...
L4: const { workerData, parentPort } = require('node:worker_threads');
...
L19: if (parentPort) parentPort.postMessage(result);
L20: `});var iS={};Ls(iS,{discoverCurrentGitProject:()=>WL});import{spawnSync as NL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as eS,readdirSync as nS...
L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function lF(e){let n=["README.md","README.markdown","readme.md"].map(t=>Fs(e,t)).find(t=>eS(t));if(n!==void 0)try{let r=zL(...
L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function fF(e){return Object.fromEntries(Object.entri...
L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return ae(t)?[t]:[]}catch{return[]}})}catch{return[]}}func…
HighCross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L2