registry  /  @scelar/nodepod  /  1.9.5

@scelar/nodepod@1.9.5

Browser-native Node.js runtime environment

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 153 file(s), 3.56 MB of source, external domains: api.github.com, cdn.jsdelivr.net, esm.sh, github.com, registry.npmjs.org, unpkg.com, your-sandbox.example.com
Oversized source lightweight scan
dist/index-CJ8pmkRR.cjs3.70 MB file, sampled 256 KB
FilesystemNetworkChildProcessNativeBindingsHighEntropyStringsUrlStringscdn.jsdelivr.netesm.shregistry.npmjs.orgunpkg.com
dist/index-DuMGbkoK.js3.64 MB file, sampled 256 KB
FilesystemNetworkChildProcessNativeBindingsHighEntropyStringsUrlStringscdn.jsdelivr.netesm.shregistry.npmjs.orgunpkg.com

Source & flagged code

11 flagged · loading source
dist/__worker__.jsView file
13patternName = private_key_rsa severity = critical line = 13 matchedText = -----END...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/__worker__.jsView on unpkg · L13
13patternName = private_key_rsa severity = critical line = 13 matchedText = -----END...----
Critical
Secret Pattern

RSA private key in dist/__worker__.js

dist/__worker__.jsView on unpkg · L13
28`;o.write(V.from(y)),o.on("data",d=>{let m=d instanceof Uint8Array?d:new Uint8Array(d),f=new Uint8Array(s._tcpInboundBuf.length+m.length);for(f.set(s._tcpInboundBuf,0),f.set(m,s._t... L29: });`}function lg(){}function cg(e){}function ct(e,t){this.id=e||"",this.filename=e||"",this.loaded=!1,this.parent=t||null,this.children=[],this.exports={},this.paths=[]}var wl,wN,n... L30: });`];_l=class{payload;constructor(t){this.payload=t}findEntry(t,n){}};ct.prototype.require=function(e){throw new Error(`Cannot resolve module '${e}' from '${this.filename}'`)};ct....
High
Child Process

Package source references child process execution.

dist/__worker__.jsView on unpkg · L28
10`,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Tu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))}
High
Shell

Package source references shell execution.

dist/__worker__.jsView on unpkg · L10
1"use strict";(()=>{var yR=Object.create;var Pc=Object.defineProperty;var bR=Object.getOwnPropertyDescriptor;var wR=Object.getOwnPropertyNames;var _R=Object.getPrototypeOf,vR=Object... L2: self.onmessage = function(e) { ... L10: `,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Tu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/__worker__.jsView on unpkg · L1
1"use strict";(()=>{var yR=Object.create;var Pc=Object.defineProperty;var bR=Object.getOwnPropertyDescriptor;var wR=Object.getOwnPropertyNames;var _R=Object.getPrototypeOf,vR=Object... L2: self.onmessage = function(e) { ... L9: }; L10: `,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Tu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/__worker__.jsView on unpkg · L1
1"use strict";(()=>{var yR=Object.create;var Pc=Object.defineProperty;var bR=Object.getOwnPropertyDescriptor;var wR=Object.getOwnPropertyNames;var _R=Object.getPrototypeOf,vR=Object... L2: self.onmessage = function(e) { ... L9: }; L10: `,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Tu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))} ... L22: `),new Z("",HP,""),new Z("",be,"]"),new Z("",be," for "),new Z("",QP,""),new Z("",WP,""),new Z("",be," a "),new Z("",be," that "),new Z(" ",Rt,""),new Z("",be,". "),new Z(".",be,""... L23: `),new Z("",be,":"),new Z(" ",be,". "),new Z("",be,"ed "),new Z("",JP,""),new Z("",ZP,""),new Z("",qP,""),new Z("",be,"("),new Z("",Rt,", "),new Z("",GP,""),new Z("",be," at "),new... L24: Upgrade: websocket\r ... L2178: `)+1)),nb(f)&&(R=tb(R)),f.endsWith(".cjs"))try{let H=hr(R,{ecmaVersion:"latest",sourceType:"script",allowImportExportEverywhere:!
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/__worker__.jsView on unpkg · L1
20`;try{console.error(w)}catch{}try{let E=globalThis.process?.stderr;E&&typeof E.write=="function"&&E.write(w)}catch{}};try{if(i!=null){I_(l.headers,i);let d=typeof i=="string"?V.fro... L21: `,Rv="/dev/null",Pv={signals:{SIGHUP:1,SIGINT:2,SIGQUIT:3,SIGILL:4,SIGTRAP:5,SIGABRT:6,SIGBUS:7,SIGFPE:8,SIGKILL:9,SIGUSR1:10,SIGSEGV:11,SIGUSR2:12,SIGPIPE:13,SIGALRM:14,SIGTERM:15... L22: `),new Z("",HP,""),new Z("",be,"]"),new Z("",be," for "),new Z("",QP,""),new Z("",WP,""),new Z("",be," a "),new Z("",be," that "),new Z(" ",Rt,""),new Z("",be,". "),new Z(".",be,""...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/__worker__.jsView on unpkg · L20
20`;try{console.error(w)}catch{}try{let E=globalThis.process?.stderr;E&&typeof E.write=="function"&&E.write(w)}catch{}};try{if(i!=null){I_(l.headers,i);let d=typeof i=="string"?V.fro... L21: `,Rv="/dev/null",Pv={signals:{SIGHUP:1,SIGINT:2,SIGQUIT:3,SIGILL:4,SIGTRAP:5,SIGABRT:6,SIGBUS:7,SIGFPE:8,SIGKILL:9,SIGUSR1:10,SIGSEGV:11,SIGUSR2:12,SIGPIPE:13,SIGALRM:14,SIGTERM:15... L22: `),new Z("",HP,""),new Z("",be,"]"),new Z("",be," for "),new Z("",QP,""),new Z("",WP,""),new Z("",be," a "),new Z("",be," that "),new Z(" ",Rt,""),new Z("",be,". "),new Z(".",be,""...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/__worker__.jsView on unpkg · L20
dist/index-CJ8pmkRR.cjsView file
path = dist/index-CJ8pmkRR.cjs kind = oversized_source_file sizeBytes = 3879082 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index-CJ8pmkRR.cjsView on unpkg
src/polyfills/crypto.tsView file
639patternName = private_key_rsa severity = critical line = 639 matchedText = ? `-----...---`
Critical
Secret Pattern

RSA private key in src/polyfills/crypto.ts

src/polyfills/crypto.tsView on unpkg · L639

Findings

3 Critical6 High4 Medium7 Low
CriticalCritical Secretdist/__worker__.js
CriticalSecret Patterndist/__worker__.js
CriticalSecret Patternsrc/polyfills/crypto.ts
HighChild Processdist/__worker__.js
HighShelldist/__worker__.js
HighSame File Env Network Executiondist/__worker__.js
HighCommand Output Exfiltrationdist/__worker__.js
HighObfuscated Payload Loaderdist/__worker__.js
HighOversized Source Filedist/index-CJ8pmkRR.cjs
MediumDynamic Requiredist/__worker__.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/__worker__.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings