Qwen Code - AI-powered coding assistant
No confirmed malicious install-time or import-time attack surface was found. Risky primitives are part of an AI coding assistant CLI and are activated by explicit user commands.
Package contains a critical-looking secret pattern.
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8AWS access key ID in chunks/tree-sitter-bash-VEJGF5XF.js
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8Package source references child process execution.
chunks/chunk-HTWHAN44.jsView on unpkg · L3027Package source references dynamic require/import behavior.
chunks/chunk-NPQWQYU6.jsView on unpkg · L70Package source references weak cryptographic algorithms.
chunks/artifact-tool-SLYPWG3C.jsView on unpkg · L66Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
web-shell/assets/index-DCHPAUp3.jsView on unpkg · L48Source decrypts an embedded payload, writes it to disk, and executes it through a child process.
chunks/chunk-AGZF43UV.jsView on unpkgPackage contains source files above the static scanner size ceiling.
chunks/chunk-AGZF43UV.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
chunks/chunk-QOKV6AO4.jsView on unpkg · L116Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-QOKV6AO4.jsView on unpkg · L1820Package ships high-entropy non-source blobs.
web-shell/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8AWS access key ID in chunks/tree-sitter-bash-VEJGF5XF.js
chunks/tree-sitter-bash-VEJGF5XF.jsView on unpkg · L8Package source references child process execution.
chunks/chunk-HTWHAN44.jsView on unpkg · L3027Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
web-shell/assets/index-DCHPAUp3.jsView on unpkg · L48Source decrypts an embedded payload, writes it to disk, and executes it through a child process.
chunks/chunk-AGZF43UV.jsView on unpkgPackage contains source files above the static scanner size ceiling.
chunks/chunk-AGZF43UV.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
chunks/chunk-QOKV6AO4.jsView on unpkg · L116Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
chunks/chunk-QOKV6AO4.jsView on unpkg · L1820Package ships high-entropy non-source blobs.
web-shell/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
chunks/chunk-NPQWQYU6.jsView on unpkg · L70Package source references weak cryptographic algorithms.
chunks/artifact-tool-SLYPWG3C.jsView on unpkg · L66