Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsObfuscatedTelemetryUrlStrings
Source & flagged code
4 flagged · loading sourcedist/cli/index.jsView file
32924patternName = generic_password
severity = medium
line = 32924
matchedText = password...d]",
Medium
dist/index.jsView file
9075import { resolve as resolve2 } from "path";
L9076: import { spawnSync } from "child_process";
L9077: import { tmpdir } from "os";
High
66Cross-file remote execution chain: dist/index.js spawns dist/cli/index.js; helper contains network access plus dynamic code execution.
L66: const e2 = __require("node:os");
L67: var t2 = [509, 0, 227, 0, 150, 4, 294, 9, 1368, 2, 2, 1, 6, 3, 41, 2, 5, 0, 166, 1, 574, 3, 9, 9, 7, 9, 32, 4, 318, 1, 80, 3, 71, 10, 50, 3, 123, 2, 54, 14, 32, 10, 3, 1, 11, 3, 46...
L68: function isInAstralSet(e3, t3) {
...
L75: function isIdentifierStart(e3, t3) {
L76: return e3 < 65 ? 36 === e3 : e3 < 91 || (e3 < 97 ? 95 === e3 : e3 < 123 || (e3 <= 65535 ? e3 >= 170 && c.test(String.fromCharCode(e3)) : false !== t3 && isInAstralSet(e3, s)));
L77: }
...
L2157: function pathe_M_eThtNZ_cwd() {
L2158: return "undefined" != typeof process && "function" == typeof process.cwd ? process.cwd().replace(/\\/g, "/") : "/";
L2159: }
...
L2333: const { ERR_UNKNOWN_FILE_EXTENSION: Ue } = Te, Me = {}.hasOwnProperty, je = { __proto__: null, ".cjs": "commonjs", ".js": "module", ".json": "json", ".mjs": "module" };
L2334: const Fe = { __proto__: null, "data:": function(e3) {
L2335: const { 1: t3 } = /^([^/]+\/[^;,]+)[^,]*?(;base64)?,/.exec(e3.pathname) || [null, null, null];
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L66bin/pluxx.jsView file
16L17: const cli = await import(pathToFileURL(cliPath).href)
L18: if (typeof cli.main !== 'function') {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/pluxx.jsView on unpkg · L16Findings
3 High5 Medium7 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumSecret Patterndist/cli/index.js
MediumDynamic Requirebin/pluxx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings