registry  /  @rsalmn/extremerouter  /  0.1.0-beta

@rsalmn/extremerouter@0.1.0-beta

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 781 file(s), 3.99 MB of source, external domains: 127.0.0.1, 9remote.cc, 9router.com, abc-tunnel.us, accounts.google.com, agent.api5.cursor.sh, agentn.api5.cursor.sh, ai-gateway.vercel.sh, ai.google.dev, aiplatform.googleapis.com, aistudio.google.com, antigravity.google, api-dashboard.search.brave.com, api-inference.huggingface.co, api.anthropic.com, api.assemblyai.com, api.bfl.ai, api.blackbox.ai, api.cartesia.ai, api.cerebras.ai, api.cline.bot, api.cloudflare.com, api.cohere.ai, api.commandcode.ai, api.deepai.org, api.deepgram.com, api.deepseek.com, api.deno.com, api.dev.runwayml.com, api.elevenlabs.io, api.exa.ai, api.example.com, api.firecrawl.dev, api.fireworks.ai, api.github.com, api.githubcopilot.com, api.groq.com, api.hyperbolic.xyz, api.inworld.ai, api.jina.ai, api.kilo.ai, api.kimi.com, api.linkup.so, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.cn, api.nanobananaapi.ai, api.openai.com, api.perplexity.ai

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = npm run build
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
Runtime dependency names matching Node built-ins: fs
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
scripts.postinstall = npm run build
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
open-sse/handlers/ttsProviders/localDevice.jsView file
1// Local device TTS — macOS `say` + Windows SAPI + ffmpeg L2: import { execFile } from "node:child_process"; L3: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

open-sse/handlers/ttsProviders/localDevice.jsView on unpkg · L1
35const { stdout } = await execFileAsync( L36: "powershell.exe", L37: ["-NoProfile", "-NonInteractive", "-WindowStyle", "Hidden", "-Command", script],
High
Shell

Package source references shell execution.

open-sse/handlers/ttsProviders/localDevice.jsView on unpkg · L35
open-sse/executors/duckduckgo-ai.jsView file
3* L4: * Free, anonymous access to DuckDuckGo AI Chat (https://duck.ai). L5: * No credentials required — authentication is per-request via a VQD anti-bot ... L10: * 2. Acquire VQD: GET /duckchat/v1/status → read x-vqd-4 / x-vqd-hash-1 L11: * 3. Solve challenge: base64-decode x-vqd-hash-1, run in node:vm with DOM stubs, L12: * SHA-256 each client_hash, re-encode → new x-vqd-hash-1 L13: * 4. Chat: POST /duckchat/v1/chat with model + messages + durableStream L14: * 5. Transform: DDG NDJSON `data:{message}` → OpenAI SSE / chat.completion L15: *
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

open-sse/executors/duckduckgo-ai.jsView on unpkg · L3
open-sse/shared/qoder/cosy.jsView file
43L44: function aesEncryptCbcBase64(plaintext, keyStr) { L45: const keyBytes = Buffer.from(keyStr, "utf8"); ... L113: * @param {string} [creds.machineId] Persisted machine UUID. L114: * @returns {Record<string, string>} Header map ready to merge onto fetch(). L115: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

open-sse/shared/qoder/cosy.jsView on unpkg · L43
src/mitm/manager.jsView file
1const { exec, spawn, execSync } = require("child_process"); L2: const path = require("path"); ... L4: const os = require("os"); L5: const net = require("net"); L6: const https = require("https"); ... L10: L11: const IS_WIN = process.platform === "win32"; L12: const IS_MAC = process.platform === "darwin"; ... L54: function resolveBundledServerPath() { L55: if (process.env.MITM_SERVER_PATH) return process.env.MITM_SERVER_PATH; L56: const sibling = path.join(__dirname, "server.js"); L57: if (fs.existsSync(sibling)) return sibling;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/mitm/manager.jsView on unpkg · L1
cli/cli.jsView file
738console.log(`🔔 9Router is running in tray (PID: ${process.pid})`); L739: console.log(` Server: http://${displayHost}:${port}`); L740: console.log(`\n💡 You can close this terminal. Right-click tray icon to quit.\n`); ... L748: L749: const bgProcess = spawn(process.execPath, [__filename, "--tray", "--skip-update", "-p", port.toString()], { L750: detached: true, ... L752: windowsHide: true, L753: env: { ...process.env } L754: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

cli/cli.jsView on unpkg · L738
src/lib/updater/updater.jsView file
1// Standalone detached updater process. L2: // Spawns `npm i -g <pkg>@latest`, exposes progress via tiny HTTP server. L3: // Survives after parent Next server exits (detached + unref by spawner). L4: L5: const { spawn } = require("child_process"); L6: const http = require("http");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/lib/updater/updater.jsView on unpkg · L1

Findings

6 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processopen-sse/handlers/ttsProviders/localDevice.js
HighShellopen-sse/handlers/ttsProviders/localDevice.js
HighSame File Env Network Executioncli/cli.js
HighRuntime Package Installsrc/lib/updater/updater.js
HighNode Builtin Dependency Squatpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumUnsafe Vm Contextopen-sse/executors/duckduckgo-ai.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/mitm/manager.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoopen-sse/shared/qoder/cosy.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License