Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
Oversized source lightweight scan
dist/chunk-T2I5QBUT.js10.0 MB file, sampled 256 KB
ChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orggithub.comjsperf.comstackoverflow.com
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
121var import_semver = __toESM(require_semver(), 1);
L122: import { spawn as spawn2 } from "node:child_process";
L123: import { access, mkdir, readFile as readFile2, rename, rm, writeFile } from "node:fs/promises";
High
218windowsVerbatimArguments: true,
L219: ...process.platform === "win32" && modulePath.toLowerCase().endsWith(".cmd") && { shell: true }
L220: });
High
121Cross-file remote execution chain: dist/index.js spawns dist/npa-L34VQLAA.js; helper contains network access plus dynamic code execution.
L121: var import_semver = __toESM(require_semver(), 1);
L122: import { spawn as spawn2 } from "node:child_process";
L123: import { access, mkdir, readFile as readFile2, rename, rm, writeFile } from "node:fs/promises";
...
L150: const {
L151: env = process.env,
L152: platform = process.platform
L153: } = options;
...
L221: const possibleLastLinesOfNpmInstall = ["up to date", "added"];
L222: const stderr = [];
L223: const stdout = [];
...
L310: * Get the path to the npm CLI file.
L311: * This will resolve npm to the pinned version in `@oclif/plugin-plugins/package.json` if it exists.
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L121dist/chunk-T2I5QBUT.jsView file
•path = dist/chunk-T2I5QBUT.js
kind = oversized_source_file
sizeBytes = 10508451
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/chunk-T2I5QBUT.jsView on unpkgFindings
4 High3 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
HighOversized Source Filedist/chunk-T2I5QBUT.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings