Static Scan Results
scanned 14d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
488// src/pty.ts
L489: import { spawn } from "child_process";
L490: import { PassThrough } from "stream";
High
998* Run `cmd` inside the guest via the exec-agent. The command string
L999: * is passed verbatim to `sh -c` inside the guest, so shell syntax
L1000: * (pipes, redirection, env) works.
High
6921req.once("error", fail);
L6922: req.write(body);
L6923: req.end();
...
L6930: warnedMissing = true;
L6931: process.stderr.write(
L6932: "machinen: gvproxy not found \u2014 microVM networking is disabled.\n Install: https://github.com/containers/gvisor-tap-vsock/releases\n Or point MACHINEN_GVPROXY at the binary d...
L6933: );
...
L6936: // src/nested-virt.ts
L6937: import { spawnSync as spawnSync2 } from "child_process";
L6938:
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L6921496var PTY_NAME = "machinen-pty";
L497: var require_ = createRequire(import.meta.url);
L498: function resolvePtyShim() {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L496Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings