registry  /  @scelar/nodepod  /  1.9.7

@scelar/nodepod@1.9.7

⚠ Under review

Browser-native Node.js runtime environment

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 153 file(s), 3.57 MB of source, external domains: api.github.com, cdn.jsdelivr.net, esm.sh, github.com, registry.npmjs.org, unpkg.com, your-sandbox.example.com
Oversized source lightweight scan
dist/index-Dg10PY2c.cjs3.70 MB file, sampled 256 KB
FilesystemNetworkChildProcessNativeBindingsHighEntropyStringsUrlStringscdn.jsdelivr.netesm.shregistry.npmjs.orgunpkg.com
dist/index-k70-oPyB.js3.65 MB file, sampled 256 KB
FilesystemNetworkChildProcessNativeBindingsHighEntropyStringsUrlStringscdn.jsdelivr.netesm.shregistry.npmjs.orgunpkg.com

Source & flagged code

12 flagged · loading source
dist/__worker__.jsView file
13patternName = private_key_rsa severity = critical line = 13 matchedText = -----END...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/__worker__.jsView on unpkg · L13
13patternName = private_key_rsa severity = critical line = 13 matchedText = -----END...----
Critical
Secret Pattern

RSA private key in dist/__worker__.js

dist/__worker__.jsView on unpkg · L13
10`,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Cu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))}
High
Shell

Package source references shell execution.

dist/__worker__.jsView on unpkg · L10
1"use strict";(()=>{var wR=Object.create;var Pc=Object.defineProperty;var _R=Object.getOwnPropertyDescriptor;var vR=Object.getOwnPropertyNames;var xR=Object.getPrototypeOf,SR=Object... L2: self.onmessage = function(e) { ... L10: `,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Cu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/__worker__.jsView on unpkg · L1
1"use strict";(()=>{var wR=Object.create;var Pc=Object.defineProperty;var _R=Object.getOwnPropertyDescriptor;var vR=Object.getOwnPropertyNames;var xR=Object.getPrototypeOf,SR=Object... L2: self.onmessage = function(e) { ... L9: }; L10: `,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Cu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/__worker__.jsView on unpkg · L1
1"use strict";(()=>{var wR=Object.create;var Pc=Object.defineProperty;var _R=Object.getOwnPropertyDescriptor;var vR=Object.getOwnPropertyNames;var xR=Object.getPrototypeOf,SR=Object... L2: self.onmessage = function(e) { ... L9: }; L10: `,t=URL.createObjectURL(new Blob([e],{type:"application/javascript"})),n=new Worker(t);return URL.revokeObjectURL(t),n.onmessage=r=>{let{id:i,ok:s,module:o,error:a}=r.data,l=Cu.get... L11: `);return{[Symbol.asyncIterator](){let w=0;return{next(){return w<p.length?Promise.resolve({value:p[w++],done:!1}):Promise.resolve({value:void 0,done:!0})}}}}}readv(m,f){let p=n.ge... L12: ${btoa(String.fromCharCode(...i))} ... L22: `),new Z("",VP,""),new Z("",be,"]"),new Z("",be," for "),new Z("",YP,""),new Z("",jP,""),new Z("",be," a "),new Z("",be," that "),new Z(" ",Rt,""),new Z("",be,". "),new Z(".",be,""... L23: `),new Z("",be,":"),new Z(" ",be,". "),new Z("",be,"ed "),new Z("",t3,""),new Z("",e3,""),new Z("",GP,""),new Z("",be,"("),new Z("",Rt,", "),new Z("",QP,""),new Z("",be," at "),new... L24: Upgrade: websocket\r ... L2212: `)+1)),sb(f)&&(R=ib(R)),f.endsWith(".cjs"))try{let H=dr(R,{ecmaVersion:"latest",sourceType:"script",allowImportExportEverywhere:!
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/__worker__.jsView on unpkg · L1
20`;try{console.error(w)}catch{}try{let E=globalThis.process?.stderr;E&&typeof E.write=="function"&&E.write(w)}catch{}};try{if(i!=null){L_(l.headers,i);let h=typeof i=="string"?V.fro... L21: `,Ov="/dev/null",Nv={signals:{SIGHUP:1,SIGINT:2,SIGQUIT:3,SIGILL:4,SIGTRAP:5,SIGABRT:6,SIGBUS:7,SIGFPE:8,SIGKILL:9,SIGUSR1:10,SIGSEGV:11,SIGUSR2:12,SIGPIPE:13,SIGALRM:14,SIGTERM:15... L22: `),new Z("",VP,""),new Z("",be,"]"),new Z("",be," for "),new Z("",YP,""),new Z("",jP,""),new Z("",be," a "),new Z("",be," that "),new Z(" ",Rt,""),new Z("",be,". "),new Z(".",be,""...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/__worker__.jsView on unpkg · L20
dist/child_process-s5oA6j5C.cjsView file
13aliases = /* @__PURE__ */ new Map(); L14: // serializes concurrent exec() calls to prevent cwd save/restore races L15: _execQueue = Promise.resolve({ stdout: "", stderr: "", exitCode: 0 });
High
Child Process

Package source references child process execution.

dist/child_process-s5oA6j5C.cjsView on unpkg · L13
4L5: const index = require('./index-Dg10PY2c.cjs'); L6:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/child_process-s5oA6j5C.cjsView on unpkg · L4
dist/index-k70-oPyB.jsView file
path = dist/index-k70-oPyB.js kind = oversized_source_file sizeBytes = 3825387 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index-k70-oPyB.jsView on unpkg
src/helpers/napi-wasm-worker.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @scelar/nodepod@1.9.5 matchedIdentity = npm:QHNjZWxhci9ub2RlcG9k:1.9.5 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/helpers/napi-wasm-worker.tsView on unpkg
src/polyfills/crypto.tsView file
639patternName = private_key_rsa severity = critical line = 639 matchedText = ? `-----...---`
Critical
Secret Pattern

RSA private key in src/polyfills/crypto.ts

src/polyfills/crypto.tsView on unpkg · L639

Findings

4 Critical6 High4 Medium6 Low
CriticalCritical Secretdist/__worker__.js
CriticalPrevious Version Dangerous Deltasrc/helpers/napi-wasm-worker.ts
CriticalSecret Patterndist/__worker__.js
CriticalSecret Patternsrc/polyfills/crypto.ts
HighChild Processdist/child_process-s5oA6j5C.cjs
HighShelldist/__worker__.js
HighSame File Env Network Executiondist/__worker__.js
HighCommand Output Exfiltrationdist/__worker__.js
HighObfuscated Payload Loaderdist/__worker__.js
HighOversized Source Filedist/index-k70-oPyB.js
MediumDynamic Requiredist/child_process-s5oA6j5C.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/__worker__.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings