registry  /  @shumai-one/shumai  /  0.1.10

@shumai-one/shumai@0.1.10

⚠ Under review

A fullstack AI-powered media workspace and workflow engine

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 113 file(s), 7.57 MB of source, external domains: 127.0.0.1, 169.254.169.254, a.com, ai-gateway.vercel.sh, api.ant-ling.com, api.anthropic.com, api.atlassian.com, api.cerebras.ai, api.cloudflare.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.individual.githubcopilot.com, api.kimi.com, api.linkedin.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.together.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, appleid.apple.com, auth.atlassian.com, bedrock-runtime.eu-central-1.amazonaws.com, bedrock-runtime.us-east-1.amazonaws.com, better-auth.com, bit.ly, cdn.jsdelivr.net, chatgpt.com, codeload.github.com, datatracker.ietf.org, docs.expo.dev, docs.mistral.ai, dotenvx.com, dummy.com, example.com, fallback.com, gateway.ai.cloudflare.com, generativelanguage.googleapis.com, git.io, github.com, help.openai.com, integrate.api.nvidia.com, json-schema.org, konvajs.github.io, konvajs.org

Source & flagged code

10 flagged · loading source
bin/shumai-app.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @shumai-one/shumai@0.1.6 matchedIdentity = npm:QHNodW1haS1vbmUvc2h1bWFp:0.1.6 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/shumai-app.jsView on unpkg
1Cross-file remote execution chain: bin/shumai-app.js spawns bin/chunk-5a2maxwp.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{Bb as qs,Cb as Il}from"./chunk-mv79zk8q.js";import"./chunk-ec88pb09.js";import"./chunk-3rt9mnj3.js";import"./chunk-xg9xscqz.js";import{$b as g0,Lb as l6,Mb as DW,Nb as $X,Ob... L3: `);let Q;while((Q=F00.exec(w))!=null){let X=Q[1],J=Q[2]||"";J=J.trim();let Y=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),Y==='"')J=J.replace(/\\n/g,` L4: `),J=J.replace(/\\r/g,"\r");$[X]=J}return $}function A00(W){W=W||{};let $=OS(W);W.path=$;let w=n4.configDotenv(W);if(!w.parsed){let Y=Error(`MISSING_DATA: Cannot parse ${$} for an ... L5: `)}return Q};kN.decode=function(W,$){if(typeof W!=="string")throw TypeError('"input" must be a string.');if(typeof $!=="string")throw TypeError('"alphabet" must be a string.');var ... ... L16: `+$.substr(Y);else $=$.substr(0,Y)+`\r L17: `+H+$.substr(Y+1);J=X-Y-1,Y=-1,++X}else if($[X]===" "||$[X]==="\t"||$[X]===",")Y=X;return $}function w10(W){return W.replace(/^\s+/,"")}});var XH=w0((xf0,oS)=>{var xW=w5();LV();dN(... L18: `;J+="Encryption: "+X+`\r ... L184: \r L185: `)}}),$.on("request",async(w,Q)=…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/shumai-app.jsView on unpkg · L1
1187patternName = generic_password severity = medium line = 1187 matchedText = `,runtim...$+=`
Medium
Secret Pattern

Package contains a possible secret pattern.

bin/shumai-app.jsView on unpkg · L1187
1// @bun L2: import{Bb as qs,Cb as Il}from"./chunk-mv79zk8q.js";import"./chunk-ec88pb09.js";import"./chunk-3rt9mnj3.js";import"./chunk-xg9xscqz.js";import{$b as g0,Lb as l6,Mb as DW,Nb as $X,Ob... L3: `);let Q;while((Q=F00.exec(w))!=null){let X=Q[1],J=Q[2]||"";J=J.trim();let Y=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),Y==='"')J=J.replace(/\\n/g,` L4: `),J=J.replace(/\\r/g,"\r");$[X]=J}return $}function A00(W){W=W||{};let $=OS(W);W.path=$;let w=n4.configDotenv(W);if(!w.parsed){let Y=Error(`MISSING_DATA: Cannot parse ${$} for an ... L5: `)}return Q};kN.decode=function(W,$){if(typeof W!=="string")throw TypeError('"input" must be a string.');if(typeof $!=="string")throw TypeError('"alphabet" must be a string.');var ... ... L16: `+$.substr(Y);else $=$.substr(0,Y)+`\r L17: `+H+$.substr(Y+1);J=X-Y-1,Y=-1,++X}else if($[X]===" "||$[X]==="\t"||$[X]===",")Y=X;return $}function w10(W){return W.replace(/^\s+/,"")}});var XH=w0((xf0,oS)=>{var xW=w5();LV();dN(... L18: `;J+="Encryption: "+X+`\r ... L184: \r L185: `)}}),$.on("request",async(w,Q)=>{try{let X=new J$0(w.url),J=W2(X.hostname),Y=X.port?parseInt(X.port,10):X.protocol==="https:"?443:80;if(!await W.filter(Y,J,w.socket)){H0(`HTTP
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/shumai-app.jsView on unpkg · L1
1// @bun L2: import{Bb as qs,Cb as Il}from"./chunk-mv79zk8q.js";import"./chunk-ec88pb09.js";import"./chunk-3rt9mnj3.js";import"./chunk-xg9xscqz.js";import{$b as g0,Lb as l6,Mb as DW,Nb as $X,Ob... L3: `);let Q;while((Q=F00.exec(w))!=null){let X=Q[1],J=Q[2]||"";J=J.trim();let Y=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),Y==='"')J=J.replace(/\\n/g,` L4: `),J=J.replace(/\\r/g,"\r");$[X]=J}return $}function A00(W){W=W||{};let $=OS(W);W.path=$;let w=n4.configDotenv(W);if(!w.parsed){let Y=Error(`MISSING_DATA: Cannot parse ${$} for an ... L5: `)}return Q};kN.decode=function(W,$){if(typeof W!=="string")throw TypeError('"input" must be a string.');if(typeof $!=="string")throw TypeError('"alphabet" must be a string.');var ... ... L16: `+$.substr(Y);else $=$.substr(0,Y)+`\r L17: `+H+$.substr(Y+1);J=X-Y-1,Y=-1,++X}else if($[X]===" "||$[X]==="\t"||$[X]===",")Y=X;return $}function w10(W){return W.replace(/^\s+/,"")}});var XH=w0((xf0,oS)=>{var xW=w5();LV();dN(... L18: `;J+="Encryption: "+X+`\r ... L184: \r L185: `)}}),$.on("request",async(w,Q)=>{try{let X=new J$0(w.url),J=W2(X.hostname),Y=X.port?parseInt(X.port,10):X.protocol==="https:"?443:80;if(!await W.filter(Y,J,w.socket)){H0(`HTTP
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/shumai-app.jsView on unpkg · L1
bin/chunk-mjan6b09.jsView file
24${D} L25: `+await Z.crypto.sha256DigestHex(G),I=await sq(Z.crypto,Z.securityCredentials.secretAccessKey,K,Z.region,Y),P=await e4(Z.crypto,I,T),O=`${SY} Credential=${Z.securityCredentials.acc... L26: To learn more about authentication and Google APIs, visit:
High
Child Process

Package source references child process execution.

bin/chunk-mjan6b09.jsView on unpkg · L24
13`+I+"}":"{"+P.join(",")+"}",Y=I,D}}if(typeof U$.stringify!=="function")U$.stringify=function(w,F,z){var G;if(Y="",W="",typeof z==="number")for(G=0;G<z;G+=1)W+=" ";else if(typeof z=... L14: `,r:"\r",t:"\t"},J,K=function(I){throw{name:"SyntaxError",message:I,at:Q,text:J}},q=function(I){if(I&&I!==Y)K("Expected '"+I+"' instead of '"+Y+"'");return Y=J.charAt(Q),Q+=1,Y},H=... L15: Supported algorithms are: ... L24: ${D} L25: `+await Z.crypto.sha256DigestHex(G),I=await sq(Z.crypto,Z.securityCredentials.secretAccessKey,K,Z.region,Y),P=await e4(Z.crypto,I,T),O=`${SY} Credential=${Z.securityCredentials.acc... L26: To learn more about authentication and Google APIs, visit:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/chunk-mjan6b09.jsView on unpkg · L13
13`+I+"}":"{"+P.join(",")+"}",Y=I,D}}if(typeof U$.stringify!=="function")U$.stringify=function(w,F,z){var G;if(Y="",W="",typeof z==="number")for(G=0;G<z;G+=1)W+=" ";else if(typeof z=... L14: `,r:"\r",t:"\t"},J,K=function(I){throw{name:"SyntaxError",message:I,at:Q,text:J}},q=function(I){if(I&&I!==Y)K("Expected '"+I+"' instead of '"+Y+"'");return Y=J.charAt(Q),Q+=1,Y},H=... L15: Supported algorithms are: ... L24: ${D} L25: `+await Z.crypto.sha256DigestHex(G),I=await sq(Z.crypto,Z.securityCredentials.secretAccessKey,K,Z.region,Y),P=await e4(Z.crypto,I,T),O=`${SY} Credential=${Z.securityCredentials.acc... L26: To learn more about authentication and Google APIs, visit:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/chunk-mjan6b09.jsView on unpkg · L13
1// @bun L2: import{Zj as I8,_j as b,ck as a}from"./chunk-kbzm1pwx.js";var gZ=b((tU,fZ)=>{function O0(Z,$){if(typeof $==="boolean")$={forever:$};if(this._originalTimeouts=JSON.parse(JSON.string... L3: `)||Q,code:W,status:Y},Z.data.error)}return Object.assign({message:Q,code:W,status:Y},Z.data.error)}}return{message:Q,code:Z.status,status:Z.statusText}}}j0.GaxiosError=U8;function... L4: Content-Type: ${W}\r ... L13: `+I+"}":"{"+P.join(",")+"}",Y=I,D}}if(typeof U$.stringify!=="function")U$.stringify=function(w,F,z){var G;if(Y="",W="",typeof z==="number")for(G=0;G<z;G+=1)W+=" ";else if(typeof z=... L14: `,r:"\r",t:"\t"},J,K=function(I){throw{name:"SyntaxError",message:I,at:Q,text:J}},q=function(I){if(I&&I!==Y)K("Expected '"+I+"' instead of '"+Y+"'");return Y=J.charAt(Q),Q+=1,Y},H=... L15: Supported algorithms are: L16: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,s4="secret must be a string or buffer",P4="key must be a str... L17: `});let F=w.join(";"),z=await Z.crypto.sha256DigestHex(Q),G=`${Z.method.toUpperCase()} ... L24: ${D} L25: `+await Z.crypto.sha256DigestHex(G),I=await sq(Z.crypto,Z.securityCredenti
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

bin/chunk-mjan6b09.jsView on unpkg · L1
bin/chunk-5a2maxwp.jsView file
1import{$j as s}from"./chunk-kbzm1pwx.js";var mc={};s(mc,{xor:()=>Zl,xid:()=>kl,void:()=>Bl,uuidv7:()=>$l,uuidv6:()=>ul,uuidv4:()=>el,uuid:()=>vl,util:()=>k,url:()=>gl,uppercase:()=... L2: `)}var Pr=(n)=>(i,o,v,r)=>{let t=v?{...v,async:!1}:{async:!1},e=i._zod.run({value:o,issues:[]},t);if(e instanceof Promise)throw new C;if(e.issues.length){let u=new(r?.Err??n)(e.iss...
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/chunk-5a2maxwp.jsView on unpkg · L1

Findings

1 Critical6 High6 Medium8 Low
CriticalPrevious Version Dangerous Deltabin/shumai-app.js
HighChild Processbin/chunk-mjan6b09.js
HighShell
HighSame File Env Network Executionbin/chunk-mjan6b09.js
HighCommand Output Exfiltrationbin/chunk-mjan6b09.js
HighCloud Metadata Accessbin/chunk-mjan6b09.js
HighCross File Remote Execution Contextbin/shumai-app.js
MediumSecret Patternbin/shumai-app.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/shumai-app.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowEvalbin/chunk-5a2maxwp.js
LowWeak Cryptobin/shumai-app.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License