Qwen Code - AI-powered coding assistant
Static analysis flagged 27 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Package contains a critical-looking secret pattern.
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8AWS access key ID in chunks/tree-sitter-bash-VEJGF5XF.js
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8Package source references child process execution.
chunks/chunk-BKNPMEN6.jsView on unpkg · L93Package source references a known benign dynamic code generation pattern.
chunks/chunk-ANRANWVE.jsView on unpkg · L3201Package source references dynamic require/import behavior.
chunks/chunk-HD6EGS5K.jsView on unpkg · L92Package source executes code through a VM context API.
chunks/workflow-G7U6OQWS.jsView on unpkg · L287Package source references weak cryptographic algorithms.
chunks/chunk-W4UN42YP.jsView on unpkg · L433Source writes installer persistence such as shell profile or service configuration.
chunks/chunk-WIYV7CSF.jsView on unpkg · L6Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
chunks/chunk-OBSLEYCD.jsView on unpkg · L19Source decrypts an embedded payload, writes it to disk, and executes it through a child process.
chunks/chunk-GCY7QTCE.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
chunks/chunk-NALRQ3SG.jsView on unpkg · L218Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-GEHSF7MS.jsView on unpkg · L41Package ships high-entropy non-source blobs.
web-shell/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
chunks/chunk-CPU6I5YV.jsView on unpkgPackage contains a critical-looking secret pattern.
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8AWS access key ID in chunks/tree-sitter-bash-VEJGF5XF.js
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8Package source references child process execution.
chunks/chunk-BKNPMEN6.jsView on unpkg · L93Package source references a known benign dynamic code generation pattern.
chunks/chunk-ANRANWVE.jsView on unpkg · L3201Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
chunks/chunk-OBSLEYCD.jsView on unpkg · L19Source decrypts an embedded payload, writes it to disk, and executes it through a child process.
chunks/chunk-GCY7QTCE.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
chunks/chunk-NALRQ3SG.jsView on unpkg · L218Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-GEHSF7MS.jsView on unpkg · L41Package ships high-entropy non-source blobs.
web-shell/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
chunks/chunk-CPU6I5YV.jsView on unpkgPackage source references dynamic require/import behavior.
chunks/chunk-HD6EGS5K.jsView on unpkg · L92Package source executes code through a VM context API.
chunks/workflow-G7U6OQWS.jsView on unpkg · L287Package source references weak cryptographic algorithms.
chunks/chunk-W4UN42YP.jsView on unpkg · L433Source writes installer persistence such as shell profile or service configuration.
chunks/chunk-WIYV7CSF.jsView on unpkg · L6