Static Scan Results
scanned 15d ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
5 flagged · loading sourcedist/util/update/updateChecker.jsView file
1import { spawn } from 'node:child_process';
L2: import { fileURLToPath } from 'node:url';
High
Child Process
Package source references child process execution.
dist/util/update/updateChecker.jsView on unpkg · L1dist/util/packageManager/installationInfo/detectGlobals.jsView file
1import path from 'node:path';
L2: import { execa } from 'execa';
L3: import which from 'which';
High
Shell
Package source references shell execution.
dist/util/packageManager/installationInfo/detectGlobals.jsView on unpkg · L1dist/actions/manifest/writeWorkspaceFiles.jsView file
1import { createHash } from 'node:crypto';
L2: import { writeFile } from 'node:fs/promises';
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/actions/manifest/writeWorkspaceFiles.jsView on unpkg · L1dist/commands/codemod.jsView file
118try {
L119: const npxHelp = execSync('npx --help', {
L120: encoding: 'utf8'
...
L122: if (!npxHelp.includes('npm')) {
L123: this.error('Not the npx we expected', {
L124: exit: 1
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/codemod.jsView on unpkg · L118bin/run.cmdView file
•path = bin/run.cmd
kind = build_helper
sizeBytes = 31
magicHex = [redacted]
Medium
Findings
3 High4 Medium6 Low
HighChild Processdist/util/update/updateChecker.js
HighShelldist/util/packageManager/installationInfo/detectGlobals.js
HighRuntime Package Installdist/commands/codemod.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/run.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/actions/manifest/writeWorkspaceFiles.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings