registry  /  @rizom/brain  /  0.2.0-alpha.146

@rizom/brain@0.2.0-alpha.146

⚠ Under review

Brain runtime + CLI — scaffold, run, and manage AI brain instances

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 6.24 MB of source, external domains: api.cloudflare.com, api.hetzner.cloud, cdn.jsdelivr.net, example.com, fonts.googleapis.com, foo.com, github.com, json-schema.org, react.dev, reactjs.org, rizom.ai, tailwindcss.com, varlock.dev, www.ibm.com, www.w3.org, www.w3ctech.com
Oversized source lightweight scan
dist/brain.js7.13 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsHighEntropyStringsUrlStringsProtestwareapi.cloudflare.comapi.hetzner.cloudgithub.comrizom.aivarlock.dev
dist/ui/app.js13.9 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsgithub.comreact.devreactjs.org

Source & flagged code

6 flagged · loading source
dist/services.jsView file
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string> L45: * ... L51: `+_.delimiters[1],J=$.content;if(_.language)$.language=_.language;let G=I.length;if(!eq.startsWith(J,I,G))return sq($,_),$;if(J.charAt(G)===I.slice(-1))return $;J=J.slice(G);let X=... L52: `)$.content=$.content.slice(1)}if(sq($,_),_.sections===!0||typeof _.section==="function")NZ($,_.section);return $}E$.engines=OZ;E$.stringify=function($,D,_){if(typeof $==="string")... L53: `).join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/services.jsView on unpkg · L42
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string>
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services.jsView on unpkg · L42
dist/ui/cms-app.jsView file
266contains invisible/control Unicode U+200B (zero width space) `).at(-1);if(U&&U.trim().length>0)return`${H}<U+200B>`}if(Mk.test(w)&&!Y.match(Ck)){let U=J.split(`
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/ui/cms-app.jsView on unpkg · L266
dist/ui/app.jsView file
path = dist/ui/app.js kind = oversized_source_file sizeBytes = 14543892 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ui/app.jsView on unpkg
dist/brain.jsView file
path = dist/brain.js kind = oversized_cli_entrypoint sizeBytes = 7477190 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/brain.jsView on unpkg
dist/interfaces.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rizom/brain@0.2.0-alpha.137 matchedIdentity = npm:QHJpem9tL2JyYWlu:0.2.0-alpha.137 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/interfaces.jsView on unpkg

Findings

1 Critical5 High6 Medium7 Low
CriticalTrojan Source Unicodedist/ui/cms-app.js
HighChild Process
HighSame File Env Network Executiondist/services.js
HighObfuscated
HighOversized Source Filedist/ui/app.js
HighPrevious Version Dangerous Deltadist/interfaces.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/brain.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings