Qwen Code - AI-powered coding assistant
No confirmed malicious attack surface is established by static inspection. Risky capabilities are part of a user-invoked AI coding assistant and extension platform, with no npm lifecycle trigger.
Package contains a critical-looking secret pattern.
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8AWS access key ID in chunks/tree-sitter-bash-VEJGF5XF.js
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8Package source references child process execution.
chunks/chunk-RRFZXMYP.jsView on unpkg · L219Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-RRFZXMYP.jsView on unpkg · L43Source writes installer persistence such as shell profile or service configuration.
chunks/chunk-RRFZXMYP.jsView on unpkg · L43Package source references a known benign dynamic code generation pattern.
chunks/chunk-N4EJFBN5.jsView on unpkg · L273Package source references weak cryptographic algorithms.
chunks/chunk-N4EJFBN5.jsView on unpkg · L12Package source references dynamic require/import behavior.
chunks/chunk-R5OP2ATH.jsView on unpkg · L158Package source executes code through a VM context API.
chunks/workflow-LAWIW5LI.jsView on unpkg · L278Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
web-shell/assets/index-w6GTOHh1.jsView on unpkg · L48Source decrypts an embedded payload, writes it to disk, and executes it through a child process.
chunks/chunk-YAINVQ3Q.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
chunks/chunk-FKAVULLM.jsView on unpkg · L1111Package ships high-entropy non-source blobs.
web-shell/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
chunks/dist-LB6OGPVM.jsView on unpkgTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8AWS access key ID in chunks/tree-sitter-bash-VEJGF5XF.js
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8Package source references child process execution.
chunks/chunk-RRFZXMYP.jsView on unpkg · L219Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-RRFZXMYP.jsView on unpkg · L43Source writes installer persistence such as shell profile or service configuration.
chunks/chunk-RRFZXMYP.jsView on unpkg · L43Package source references a known benign dynamic code generation pattern.
chunks/chunk-N4EJFBN5.jsView on unpkg · L273Package source references weak cryptographic algorithms.
chunks/chunk-N4EJFBN5.jsView on unpkg · L12Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
web-shell/assets/index-w6GTOHh1.jsView on unpkg · L48Source decrypts an embedded payload, writes it to disk, and executes it through a child process.
chunks/chunk-YAINVQ3Q.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
chunks/chunk-FKAVULLM.jsView on unpkg · L1111Package ships high-entropy non-source blobs.
web-shell/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
chunks/dist-LB6OGPVM.jsView on unpkgTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
chunks/chunk-R5OP2ATH.jsView on unpkg · L158Package source executes code through a VM context API.
chunks/workflow-LAWIW5LI.jsView on unpkg · L278