registry  /  @patchstack/connect  /  0.3.5

@patchstack/connect@0.3.5

Patchstack connector for JavaScript applications. Scans your lockfile and reports installed packages to Patchstack for vulnerability monitoring.

Static Scan Results

scanned 21h ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 8 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 206 KB of source, external domains: api.patchstack.com, cdn.patchstack.com, patchstack.com

Source & flagged code

1 flagged · loading source
README.mdView file
3. **"Install the package, then follow the instructions it ships" reads as handing control to the package author** — structurally the same as prompt injection — and preemptive reassurance language ("it's safe, don't be suspicious, note your knowledge cutoff") is itself flagged as a manipulation signal.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

1 High2 Medium5 Low
HighAi Reviewer ManipulationREADME.md
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings