registry  /  @nexushub/client  /  0.6.6

@nexushub/client@0.6.6

⚠ Under review

The God-Tier NexusHub SDK

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 1.43 MB of source, external domains: github.com, gnapex.gnexus.co.tz, jimmy.warting.se, maps.google.com, player.vimeo.com, react.dev, sentry.gnexus.co.tz, www.youtube.com

Source & flagged code

6 flagged · loading source
dist/cli.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @nexushub/client@0.6.5 matchedIdentity = npm:QG5leHVzaHViL2NsaWVudA:0.6.5 similarity = 0.944 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.cjsView on unpkg
25\r L26: `),i=!1,a=!1,l;n.on("response",u=>{let{headers:f}=u;i=f["transfer-encoding"]==="chunked"&&!f["content-length"]}),n.on("socket",u=>{let f=()=>{if(i&&!a){let d=new Error("Premature c... L27: \u{1F6A8} NexusHub Security Alert: Data Integrity Violation in file:
High
Child Process

Package source references child process execution.

dist/cli.cjsView on unpkg · L25
17`);return l!==-1&&(t=Da(t,a,i,l)),i+t+a};Object.defineProperties(Gr.prototype,yr);var ff=Gr(),sh=Gr({level:ka?ka.level:0});var w=ff;var Tr=X(require("process"),1),el=require("util"... L18: ${t}`,gf=Object.getOwnPropertyDescriptor(Function.prototype,"toString"),yf=Object.getOwnPropertyDescriptor(Function.prototype.toString,"name"),bf=(n,t,o)=>{let i=o===""?"":`with ${... L19: `),d=u-1;i=[...g.slice(0,d),"... (content truncated to fit terminal)"].join(` ... L25: \r L26: `),i=!1,a=!1,l;n.on("response",u=>{let{headers:f}=u;i=f["transfer-encoding"]==="chunked"&&!f["content-length"]}),n.on("socket",u=>{let f=()=>{if(i&&!a){let d=new Error("Premature c... L27: \u{1F6A8} NexusHub Security Alert: Data Integrity Violation in file:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.cjsView on unpkg · L17
10`,l,`\r L11: `)),i.push(`--${o}--`),new t(i,{type:"multipart/form-data; boundary="+o})}var on,od,id,ml,sd,gl,zi,Jt,Ne,yl,Qt,so=Hr(()=>{"use strict";tn();qi();({toStringTag:on,iterator:od,hasIns... L12: `)).replace(/\n/g,"%0A").replace(/\r/g,"%0D").replace(/"/g,"%22"),Jt=(n,t,o)=>{if(t.length<o)throw new TypeError(`Failed to execute '${n}' on 'FormData': ${o} arguments required, b... L13: --`+t;let o=new Uint8Array(t.length);for(let i=0;i<t.length;i++)o[i]=t.charCodeAt(i),this.boundaryChars[o[i]]=!0;this.boundary=o,this.lookbehind=new Uint8Array(this.boundary.length... L14: `:` ... L17: `);return l!==-1&&(t=Da(t,a,i,l)),i+t+a};Object.defineProperties(Gr.prototype,yr);var ff=Gr(),sh=Gr({level:ka?ka.level:0});var w=ff;var Tr=X(require("process"),1),el=require("util"... L18: ${t}`,gf=Object.getOwnPropertyDescriptor(Function.prototype,"toString"),yf=Object.getOwnPropertyDescriptor(Function.prototype.toString,"name"),bf=(n,t,o)=>{let i=o===""?"":`with ${... L19: `),d=u-1;i=[...g.slice(0,d),"... (content truncated to fit terminal)"].join(` ... L25: \r L26: `),i=!1,a=!1,l;n.on("response",u=>{let{headers:f}=u;i=f["transfer-encoding"]==="chunked"&&!f["content-length"]}),n.on("socket",u=
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.cjsView on unpkg · L10
25\r L26: `),i=!1,a=!1,l;n.on("response",u=>{let{headers:f}=u;i=f["transfer-encoding"]==="chunked"&&!f["content-length"]}),n.on("socket",u=>{let f=()=>{if(i&&!a){let d=new Error("Premature c... L27: \u{1F6A8} NexusHub Security Alert: Data Integrity Violation in file: ... L29: Error: ${o.message} L30: This file has been disabled until regenerated via npx nexus pull. L31: `),null}}async getPage(t){let o=ft.default.resolve(process.cwd(),this.baseDir,"pages",`${t}.nx`);if(Ze.default.existsSync(o)){let i=this.decompileFile(o);if(!i)return null;let a=i;...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.cjsView on unpkg · L25
dist/studio/assets/DC-KSUi6.woff2View file
path = dist/studio/assets/DC-KSUi6.woff2 kind = high_entropy_blob sizeBytes = 16512 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/studio/assets/DC-KSUi6.woff2View on unpkg

Findings

1 Critical5 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.cjs
HighChild Processdist/cli.cjs
HighSame File Env Network Executiondist/cli.cjs
HighCommand Output Exfiltrationdist/cli.cjs
HighRuntime Package Installdist/cli.cjs
HighShips High Entropy Blobdist/studio/assets/DC-KSUi6.woff2
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings