registry  /  @monotykamary/localterm  /  2.37.2

@monotykamary/localterm@2.37.2

⚠ Under review

A browser-based terminal: one browser tab is one PTY session. Friendly URL, persistent xterm.js front-end, hono + node-pty back-end.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 4.17 MB of source, external domains: base-ui.com, fonts.googleapis.com, github.com, json-schema.org, login.tailscale.com, react.dev, simplewebauthn.dev, tailscale.com, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/utils/spawn-daemon.jsView file
1import { spawn } from "node:child_process"; L2: import { DAEMON_CHILD_ENV_FLAG, RESTART_DAEMON_ENV_FLAG } from "../constants.js";
High
Child Process

Package source references child process execution.

dist/utils/spawn-daemon.jsView on unpkg · L1
dist/commands/install.jsView file
104Environment=PATH=${pathEnv} L105: ExecStartPre=/bin/sh -c 'command -v tailscale >/dev/null 2>&1 || exit 0; for i in $(seq 1 ${input.tailscaleBootWaitSeconds}); do tailscale status --json >/dev/null 2>&1 && exit 0; ... L106: ExecStart=${input.execPath} ${input.cliEntry} start --foreground --port ${input.port} --host ${input.host}
High
Shell

Package source references shell execution.

dist/commands/install.jsView on unpkg · L104
dist/utils/shell-completions.jsView file
3import path from "node:path"; L4: import { execFile } from "node:child_process"; L5: import { promisify } from "node:util"; ... L12: case "bash": L13: return ".bashrc"; L14: case "zsh": ... L23: const relative = rcRelativePath(shell); L24: return relative ? path.join(os.homedir(), relative) : null; L25: }; ... L99: try { L100: const { stdout } = await execFileAsync("zsh", ["-c", "print -l $fpath"], { timeout: 3000 }); L101: return stdout
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/utils/shell-completions.jsView on unpkg · L3
terminal/assets/index-BOTroeeA.jsView file
122contains invisible/control Unicode U+2060 (word joiner) `):e}var CL=null,wL;function TL(){return CL===null&&(CL=new Intl.Segmenter(wL,{granularity:`word`})),CL}var EL=/\p{Script=Arabic}/u,DL=/\p{M}/u,OL=/\p{Nd}/u;function kL(e){return EL.test(e)}function AL(e){return e>=19968&&e<=40959||e>=13312
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

terminal/assets/index-BOTroeeA.jsView on unpkg · L122
270XID_Continue XIDC L271: XID_Start XIDS`.split(/\s/).map(e=>[tY(e),e])),YY=new Map([[`s`,NY(383)],[NY(383),`s`]]),XY=new Map([[NY(223),NY(7838)],[NY(107),NY(8490)],[NY(229),NY(8491)],[NY(969),NY(8486)]]),Z... L272: ]`:`(?>\r L273: ?|[ L274: \v\f…\u2028\u2029])`),t));else if(c===`posix`)if(!i&&(u===`graph`||u===`print`)){if(r===`strict`)throw Error(`POSIX class "${u}" requires min target ES2024 or non-strict accuracy`)... L275: `),fZ=(e,t)=>{let n=oZ.get(e);if(n&&n.contentKey===dZ(t))return n.result},pZ=async(e,t,n)=>{let r=fZ(e,t);if(r!==void 0)return r;let i=nZ[n];if(!i)return oZ.set(e,{contentKey:dZ(t)... L276: `),o=r.codeToTokens(a,{lang:n,theme:aZ}).tokens.map(e=>({tokens:e.map(e=>({content:e.content,color:e.color??``,fontStyle:e.fontStyle??0}))}));return oZ.set(e,{contentKey:dZ(t),resu... L277: `);a.length>0&&a[a.length-1]===``&&a.pop();for(let e of a){let a=HZ.exec(e);if(a){r=Number.parseInt(a[1],10),i=Number.parseInt(a[2],10),n={header:e,lines:[]},t.push(n);continue}if(... ... L279: `)},ge[gt]=()=>{let e=n.querySelector(`.xterm-screen`);if(!(e instanceof HTMLElement))return null;let t=e.getBoundingClientRect();return{left:t.left,top:t.top,cellWidth:K.cols>0?t.... L280:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

terminal/assets/index-BOTroeeA.jsView on unpkg · L270
terminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2View file
path = terminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2 kind = high_entropy_blob sizeBytes = 15264 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

terminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2View on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalTrojan Source Unicodeterminal/assets/index-BOTroeeA.js
HighChild Processdist/utils/spawn-daemon.js
HighShelldist/commands/install.js
HighCommand Output Exfiltrationterminal/assets/index-BOTroeeA.js
HighShips High Entropy Blobterminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/utils/shell-completions.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings