registry  /  @northpeak/swarmai  /  1.0.0

@northpeak/swarmai@1.0.0

Static Scan Results

scanned 12h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 91 file(s), 5.81 MB of source, external domains: accounts.google.com, ai-gateway.vercel.sh, ai.azure.com, aistudio.google.com, antigravity.google, api.anthropic.com, api.arcee.ai, api.deepseek.com, api.github.com, api.githubcopilot.com, api.gmi-serving.com, api.groq.com, api.kilo.ai, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, api.novita.ai, api.openai.com, api.stepfun.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, auth.openai.com, aws.amazon.com, bit.ly, build.nvidia.com, chat.qwen.ai, chatgpt.com, chevrotain.io, cloudcode-pa.googleapis.com, coding-intl.dashscope.aliyuncs.com, console.anthropic.com, console.x.ai, dashscope-intl.aliyuncs.com, dashscope.console.aliyun.com, docs.docker.com, en.wikipedia.org, generativelanguage.googleapis.com, github.com, goo.gl, help.aliyun.com, huggingface.co, inference-api.nousresearch.com, integrate.api.nvidia.com, jcgt.org, jquery.org, kilo.ai, langium.org, lodash.com
Oversized source lightweight scan
dashboard/assets/index-BsGGudn9.js3.11 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreactjs.orgwww.w3.org
server.js10.1 MB file, sampled 256 KB
NetworkEnvironmentVarsDynamicRequireObfuscatedHighEntropyStringsMinifiedUrlStringsollama.com
swarmai.js6.65 MB file, sampled 256 KB
EnvironmentVarsDynamicRequireObfuscatedHighEntropyStringsMinified

Source & flagged code

10 flagged · loading source
dashboard/assets/mammoth.browser-imoN_kHU.jsView file
25See http://goo.gl/MqrFmX L26: `)}};function i(d,p,c){this._lateQueue.push(d,p,c),this._queueTick()}function e(d,p,c){this._normalQueue.push(d,p,c),this._queueTick()}function r(d){this._normalQueue._pushOne(d),t... L27: return function(obj) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dashboard/assets/mammoth.browser-imoN_kHU.jsView on unpkg · L25
plugins/channel-telegram-client.jsView file
1#!/usr/bin/env node L2: (function(_0x266a01,_0x2759ca){const _0xd14af2={_0x210f8a:0x1b5,_0x255da9:0x209,_0x1f3251:0x36,_0xe2803b:0x237,_0x43271b:0xb0,_0x44bfbc:0x1b8,_0x1f92d7:0x105,_0x24f763:0x143,_0xf70...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

plugins/channel-telegram-client.jsView on unpkg · L1
1#!/usr/bin/env node L2: (function(_0x266a01,_0x2759ca){const _0xd14af2={_0x210f8a:0x1b5,_0x255da9:0x209,_0x1f3251:0x36,_0xe2803b:0x237,_0x43271b:0xb0,_0x44bfbc:0x1b8,_0x1f92d7:0x105,_0x24f763:0x143,_0xf70...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

plugins/channel-telegram-client.jsView on unpkg · L1
scripts/uninstall.mjsView file
30* L31: * Exit code 0 on success (or dry-run); non-zero only on an unexpected error L32: * while attempting a removal that was requested. ... L34: L35: import { spawnSync } from 'node:child_process'; L36: import { existsSync, rmSync, readFileSync, writeFileSync } from 'node:fs'; ... L42: const root = path.resolve(here, '..'); // <install> dir (parent of scripts/) L43: const isWindows = process.platform === 'win32'; L44: ... L71: const dirs = []; L72: const ws = process.env.SWARMAI_WORKSPACE; L73: if (ws && ws.trim().length > 0) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/uninstall.mjsView on unpkg · L30
dashboard/assets/occt-import-js-BhHfLpto.wasmView file
path = dashboard/assets/occt-import-js-BhHfLpto.wasm kind = wasm_module sizeBytes = 7604031 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dashboard/assets/occt-import-js-BhHfLpto.wasmView on unpkg
scripts/self-update.ps1View file
path = scripts/self-update.ps1 kind = build_helper sizeBytes = 6966 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/self-update.ps1View on unpkg
dashboard/assets/jetbrains-mono-vietnamese-600-normal-OWROknRo.woffView file
path = dashboard/assets/jetbrains-mono-vietnamese-600-normal-OWROknRo.woff kind = high_entropy_blob sizeBytes = 5476 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dashboard/assets/jetbrains-mono-vietnamese-600-normal-OWROknRo.woffView on unpkg
swarmai.jsView file
path = swarmai.js kind = oversized_source_file sizeBytes = 6968071 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

swarmai.jsView on unpkg
path = swarmai.js kind = oversized_cli_entrypoint sizeBytes = 6968071 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

swarmai.jsView on unpkg
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

1 Critical4 High9 Medium4 Low
CriticalManifest Confusionpackage.json
HighObfuscated Payload Loaderplugins/channel-telegram-client.js
HighObfuscated
HighShips High Entropy Blobdashboard/assets/jetbrains-mono-vietnamese-600-normal-OWROknRo.woff
HighOversized Source Fileswarmai.js
MediumDynamic Requireplugins/channel-telegram-client.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/uninstall.mjs
MediumProtestware
MediumShips Wasm Moduledashboard/assets/occt-import-js-BhHfLpto.wasm
MediumShips Build Helperscripts/self-update.ps1
MediumOversized Cli Entrypointswarmai.js
MediumStructural Risk Force Deep Review
LowEvaldashboard/assets/mammoth.browser-imoN_kHU.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings