Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/protect.cjsView file
30// src/protect/engine/client.js
L31: var DEFAULT_BASE_URL = "https://api.patchstack.com";
L32: var DEFAULT_CACHE_TTL = 3e5;
...
L39: constructor({ token, baseUrl, cacheTtl } = {}) {
L40: this.#token = token ?? process.env.PATCHSTACK_WAF_TOKEN;
L41: this.#baseUrl = baseUrl ?? process.env.PATCHSTACK_WAF_API_URL ?? DEFAULT_BASE_URL;
...
L61: },
L62: body: JSON.stringify({}),
L63: signal: AbortSignal.timeout(3e4)
...
L73: }
L74: const data = await response.json();
L75: const result = {
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/protect.cjsView on unpkg · L30dist/index.cjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @patchstack/connect@0.3.6
matchedIdentity = npm:QHBhdGNoc3RhY2svY29ubmVjdA:0.3.6
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.cjsView on unpkgFindings
2 High3 Medium5 Low
HighCloud Metadata Accessdist/protect.cjs
HighPrevious Version Dangerous Deltadist/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings