registry  /  @mindexec/cli  /  0.2.432

@mindexec/cli@0.2.432

⚠ Under review

MindExec local runtime and bridge CLI

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 66 file(s), 5.85 MB of source, external domains: 127.0.0.1, aka.ms, api.duckduckgo.com, cdn.jsdelivr.net, duckduckgo.com, github.com, html.duckduckgo.com, mindexec.pages.dev, mindexecution.pages.dev, news.google.com, search.brave.com, www.bing.com, www.googleapis.com, www.w3.org

Source & flagged code

12 flagged · loading source
server.jsView file
18import sharp from 'sharp'; L19: import { createServer } from 'http'; L20: import { WebSocket, WebSocketServer } from 'ws'; ... L27: L28: const execAsync = promisify(exec); L29: const execFileAsync = promisify(execFile); ... L32: const app = express(); L33: const PORT = normalizePort(process.env.BRIDGE_PORT); L34: const BRIDGE_ROOT = path.dirname(fileURLToPath(import.meta.url));
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

server.jsView on unpkg · L18
Trigger-reachable chain: manifest.main -> server.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg
12import path from 'path'; L13: import { exec, spawn, spawnSync, execFile } from 'child_process'; L14: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

server.jsView on unpkg · L12
27L28: const execAsync = promisify(exec); L29: const execFileAsync = promisify(execFile);
High
Shell

Package source references shell execution.

server.jsView on unpkg · L27
12Cross-file remote execution chain: server.js spawns wwwroot/_framework/blazor.webassembly.js; helper contains network access plus dynamic code execution. L12: import path from 'path'; L13: import { exec, spawn, spawnSync, execFile } from 'child_process'; L14: import { promisify } from 'util'; ... L18: import sharp from 'sharp'; L19: import { createServer } from 'http'; L20: import { WebSocket, WebSocketServer } from 'ws'; ... L32: const app = express(); L33: const PORT = normalizePort(process.env.BRIDGE_PORT); L34: const BRIDGE_ROOT = path.dirname(fileURLToPath(import.meta.url)); L35: const PACKAGE_INFO = JSON.parse(readFileSync(path.join(BRIDGE_ROOT, 'package.json'), 'utf8').replace(/^\uFEFF/, '')); L36: const BRIDGE_PACKAGE_NAME = String(PACKAGE_INFO.name || '@mindexec/cli'); ... L46: const VERBOSE_REMOTE_AGENT_LOGS = /^(1|true|yes|on)$/i.test(String(process.env.MINDEXEC_VERBOSE_REMOTE_AGENT || process.env.BRIDGE_VERBOSE_REMOTE_AGENT || ''));
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

server.jsView on unpkg · L12
wwwroot/_framework/dotnet.runtime.opaiwunc3t.jsView file
2//! The .NET Foundation licenses this file to you under the MIT license. L3: var e="9.0.17",t="Release",n=!1;const r=[[!0,"mono_wasm_register_root","number",["number","number","string"]],[!0,"mono_wasm_deregister_root",null,["number"]],[!0,"mono_wasm_string... L4: //# sourceMappingURL=dotnet.runtime.js.map
High
Eval

Package source references dynamic code evaluation.

wwwroot/_framework/dotnet.runtime.opaiwunc3t.jsView on unpkg · L2
wwwroot/_framework/dotnet.native.566r55w3xu.jsView file
7L8: var Module=moduleArg;var readyPromiseResolve,readyPromiseReject;Module["ready"]=new Promise((resolve,reject)=>{readyPromiseResolve=resolve;readyPromiseReject=reject});if(_nativeMod... L9:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

wwwroot/_framework/dotnet.native.566r55w3xu.jsView on unpkg · L7
scripts/remote-fast-mdm-browser-smoke.mjsView file
3Detached bundled service listener: scripts/remote-fast-mdm-browser-smoke.mjs spawns server.js; helper exposes a broad-bound HTTP listener. L3: import assert from 'node:assert/strict'; L4: import { spawn } from 'node:child_process'; L5: import { mkdtemp, rm } from 'node:fs/promises'; L6: import net from 'node:net'; L7: import os from 'node:os'; ... L14: const LOCAL_BRIDGE_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..'); L15: const REQUESTED_FPS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_REQUEST_FPS || 12); L16: const SAMPLE_MS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_SAMPLE_MS || 1500); ... L45: L46: const payload = await response.json().catch(() => null); L47: return { status: response.status, ok: response.ok, payload }; ... L91:
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3
wwwroot/_framework/Microsoft.AspNetCore.Authorization.htf46vkphd.dllView file
path = wwwroot/_framework/Microsoft.AspNetCore.Authorization.htf46vkphd.dll kind = native_binary sizeBytes = 26624 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

wwwroot/_framework/Microsoft.AspNetCore.Authorization.htf46vkphd.dllView on unpkg
wwwroot/_framework/dotnet.native.x6q5aixc38.wasmView file
path = wwwroot/_framework/dotnet.native.x6q5aixc38.wasm kind = wasm_module sizeBytes = 3701624 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wwwroot/_framework/dotnet.native.x6q5aixc38.wasmView on unpkg
start-bridge.batView file
path = start-bridge.bat kind = build_helper sizeBytes = 558 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

start-bridge.batView on unpkg
wwwroot/_content/MindExecution.Shared/lib/font-awesome/webfonts/fa-regular-400.woff2View file
path = wwwroot/_content/MindExecution.Shared/lib/font-awesome/webfonts/fa-regular-400.woff2 kind = high_entropy_blob sizeBytes = 25452 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

wwwroot/_content/MindExecution.Shared/lib/font-awesome/webfonts/fa-regular-400.woff2View on unpkg

Findings

2 Critical6 High7 Medium5 Low
CriticalSame File Env Network Executionserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
HighChild Processserver.js
HighShellserver.js
HighEvalwwwroot/_framework/dotnet.runtime.opaiwunc3t.js
HighCross File Remote Execution Contextserver.js
HighSpawned Bundled Service Listenerscripts/remote-fast-mdm-browser-smoke.mjs
HighShips High Entropy Blobwwwroot/_content/MindExecution.Shared/lib/font-awesome/webfonts/fa-regular-400.woff2
MediumDynamic Requirewwwroot/_framework/dotnet.native.566r55w3xu.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarywwwroot/_framework/Microsoft.AspNetCore.Authorization.htf46vkphd.dll
MediumShips Wasm Modulewwwroot/_framework/dotnet.native.x6q5aixc38.wasm
MediumShips Build Helperstart-bridge.bat
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings