registry  /  @pagenary/publisher  /  2026.7.3

@pagenary/publisher@2026.7.3

⚠ Under review

Multi-tenant static publishing component for Pagenary platform.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 217 file(s), 1.45 MB of source, external domains: 127.0.0.1, api.example.com, discord.gg, docs.acme.com, docs.aiwg.io, docs.example.com, docs.fortemi.com, docs.pagenary.com, docs.roko.network, esm.sh, example.com, git.integrolabs.net, github.com, llmstxt.org, my-docs.local, nodejs.org, player.vimeo.com, schema.org, support.example.com, tally.so, vimeo.com, www.sitemaps.org, www.w3.org, www.youtube-nocookie.com, www.youtube.com

Source & flagged code

3 flagged · loading source
scripts/build.jsView file
7L8: const require = createRequire(import.meta.url); L9: const root = process.cwd();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/build.jsView on unpkg · L7
scripts/lib/frontmatter.jsView file
25contains invisible/control Unicode U+FEFF (zero width no-break space) const match = text.match(/^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

scripts/lib/frontmatter.jsView on unpkg · L25
scripts/build-tenants.jsView file
5Cross-file remote execution chain: scripts/build-tenants.js spawns scripts/lib/seo-generator.js; helper contains network access plus dynamic code execution. L5: import path from 'path'; L6: import { spawn, execSync } from 'child_process'; L7: import { createHash } from 'crypto'; ... L26: L27: const root = process.cwd(); L28: // The package's own directory (this file lives at <pkg>/scripts/build-tenants.js). ... L69: // Git options L70: cacheDir: process.env.GIT_CACHE_DIR || null, L71: keepCache: false, ... L197: GIT_TERMINAL_PROMPT Set to 0 to disable interactive git prompts (recommended for CI) L198: GIT_SSH_COMMAND Custom SSH command (e.g., "ssh -i ~/.ssh/deploy_key") L199: GIT_CREDENTIALS HTTPS credentials in "username:token" format (not logged)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/build-tenants.jsView on unpkg · L5

Findings

1 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodescripts/lib/frontmatter.js
HighChild Process
HighShell
HighCross File Remote Execution Contextscripts/build-tenants.js
MediumDynamic Requirescripts/build.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License