Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/download-binary.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•Runtime dependency names matching Node built-ins: fs
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgscripts/build-pdf-bundle.jsView file
14L15: const fs = require('fs');
L16: const path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
scripts/build-pdf-bundle.jsView on unpkg · L14scripts/download-binary.jsView file
1const https = require('https');
L2: const fs = require('fs');
...
L23:
L24: let S3_PRIVATE = process.env.S3_PRIVATE || false; // Set to true if libraries are in a private S3 bucket
L25: const AWS_REGION = process.env.AWS_REGION || 'us-west-2'; // Used only for private S3 bucket access
...
L56:
L57: const rawPlatform = process.platform;
L58: const rawArch = process.arch;
...
L72: const baseUrl = `https://${PUBLIC_BUCKET_NAME}.s3.${PUBLIC_BUCKET_REGION}.amazonaws.com/${PUBLIC_LIBRARY_PATH}/`;
L73: const localDir = path.join(__dirname, '..', 'lib');
L74:
...
L138: const command = new GetObjectCommand({ Bucket: bucket, Key: s3Key });
Low
Weak Crypto
Package source references weak cryptographic algorithms.
scripts/download-binary.jsView on unpkg · L1Findings
2 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requirescripts/build-pdf-bundle.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoscripts/download-binary.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings