Static analysis flagged 28 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Package contains a critical-looking secret pattern.
chunks/tree-sitter-bash-XNCMPQBK.jsView on unpkg · L3AWS access key ID in chunks/tree-sitter-bash-XNCMPQBK.js
chunks/tree-sitter-bash-XNCMPQBK.jsView on unpkg · L3Package source references child process execution.
chunks/lowlight-XACRL7SV.jsView on unpkg · L2Package source references a known benign dynamic code generation pattern.
chunks/serve-CIN26WPX.jsView on unpkg · L6Package source references dynamic require/import behavior.
chunks/chunk-JQSW4K4X.jsView on unpkg · L6Package source executes code through a VM context API.
chunks/workflow-EUTO2UEN.jsView on unpkg · L4Package source references weak cryptographic algorithms.
chunks/dist-N66KF4KX.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
chunks/chunk-DY6PIAAY.jsView on unpkg · L7Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
chunks/chunk-DY6PIAAY.jsView on unpkg · L39Source reaches cloud instance metadata or link-local credential endpoints.
chunks/chunk-4J6DC24J.jsView on unpkg · L2Source exposes local file and command tools to a remote model endpoint.
chunks/chunk-YTY4VZHQ.jsView on unpkg · L17Package contains source files above the static scanner size ceiling.
chunks/chunk-ZX6WKO3S.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
cli.jsView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-DY6PIAAY.jsView on unpkg · L2Source writes installer persistence such as shell profile or service configuration.
chunks/chunk-DY6PIAAY.jsView on unpkg · L2Package contains a critical-looking secret pattern.
chunks/tree-sitter-bash-XNCMPQBK.jsView on unpkg · L3AWS access key ID in chunks/tree-sitter-bash-XNCMPQBK.js
chunks/tree-sitter-bash-XNCMPQBK.jsView on unpkg · L3Package source references child process execution.
chunks/lowlight-XACRL7SV.jsView on unpkg · L2Package source references a known benign dynamic code generation pattern.
chunks/serve-CIN26WPX.jsView on unpkg · L6A single source file combines environment access, network access, and code or shell execution; review context before blocking.
chunks/chunk-DY6PIAAY.jsView on unpkg · L7Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
chunks/chunk-DY6PIAAY.jsView on unpkg · L39Source reaches cloud instance metadata or link-local credential endpoints.
chunks/chunk-4J6DC24J.jsView on unpkg · L2Source exposes local file and command tools to a remote model endpoint.
chunks/chunk-YTY4VZHQ.jsView on unpkg · L17Package contains source files above the static scanner size ceiling.
chunks/chunk-ZX6WKO3S.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
cli.jsView on unpkgPackage source references dynamic require/import behavior.
chunks/chunk-JQSW4K4X.jsView on unpkg · L6Package source executes code through a VM context API.
chunks/workflow-EUTO2UEN.jsView on unpkg · L4Package source references weak cryptographic algorithms.
chunks/dist-N66KF4KX.jsView on unpkg · L2Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-DY6PIAAY.jsView on unpkg · L2Source writes installer persistence such as shell profile or service configuration.
chunks/chunk-DY6PIAAY.jsView on unpkg · L2