Static Scan Results
scanned 12d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./bin/cleanup-globals.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgbin/ssg.cjsView file
6L7: const { execFileSync, spawnSync } = require("node:child_process");
L8: const path = require("node:path");
...
L10:
L11: const ext = process.platform === "win32" ? ".exe" : "";
L12: const platformPkg = `@sigmashake/ssg-${process.platform}-${process.arch}`;
...
L24: // install.
L25: // b) default (walks UP from __dirname) — the nested copy at
L26: // @sigmashake/ssg/node_modules/@sigmashake/ssg-<plat>-<arch>, which npm
...
L44: try {
L45: return JSON.parse(fs.readFileSync(pkgJsonPath, "utf8")).version;
L46: } catch {
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/ssg.cjsView on unpkg · L6Findings
2 High3 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitybin/ssg.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License