registry  /  @peron_js/web-cli  /  0.6.1

@peron_js/web-cli@0.6.1

⚠ Under review

A CLI to search and fetch the web

Static Scan Results

scanned 21h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 1.83 MB of source, external domains: bsky.app, c2.com, proxy.banned.dynv6.net, www.ibm.com, www.linkedin.com, www.threads.com, www.w3.org, www.youtube.com, x.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
218contains invisible/control Unicode U+202C (pop directional formatting) @#[line:`+A.lineNumber+",col:"+A.columnNumber+"]"}function Rp(A,Q,B){if(typeof A=="string")return A.substr(Q,B);else{if(A.length>=Q+B||Q)return new java.lang.String(A,Q,B)+"";return A}}"endDTD,startEntity,endEntity,attributeDecl,elementDecl
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/index.jsView on unpkg · L218
Trigger-reachable chain: manifest.bin -> dist/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg
481patternName = generic_password severity = medium line = 481 matchedText = )`,enabl...sh(`
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L481
502patternName = generic_password severity = medium line = 502 matchedText = )`,enabl...sh(`
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L502

Findings

2 Critical1 High6 Medium5 Low
CriticalTrojan Source Unicodedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighObfuscated
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patterndist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License