Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystem
HighEntropyStringsMinifiedObfuscatedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/metadataengine/MetadataEngine.jsView file
1const _0x4c919c=_0x36d3;(function(_0x387584,_0x29c2b2){const _0x325d2c=_0x36d3,_0x2a2ace=_0x387584();while(!![]){try{const _0x48e92f=-parseInt(_0x325d2c(0x4a4,'PR5x'))/(0x1*-0x18f2...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/metadataengine/MetadataEngine.jsView on unpkg · L1cli.jsView file
6Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network
L6: const __filename = fileURLToPath(import.meta.url);
L7: const __dirname = path.dirname(__filename);
L8:
...
L11: function readVersion() {
L12: const versionFromEnv = process.env.npm[redacted]?.trim();
L13: if (versionFromEnv) return versionFromEnv;
L14: try {
L15: const pkgPath = path.join(__dirname, "package.json");
L16: const raw = fs.readFileSync(pkgPath, "utf8");
L17: const pkg = JSON.parse(raw);
L18: if (typeof pkg?.version === "string" && pkg.version.trim()) {
...
L137: --reconcile-sync MCP_RECONCILE_SYNC block startup until sync done;
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
cli.jsView on unpkg · L6dist/tools/dev/index.jsView file
1const _0x5b2af6=_0x5cbe;(function(_0x2c7a4c,_0xdaee48){const _0x1f1418=_0x5cbe,_0x468333=_0x2c7a4c();while(!![]){try{const _0xb9f882=parseInt(_0x1f1418(0x1fe,'Xb@W'))/(0x1d3f+0x3*-...
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/tools/dev/index.jsView on unpkg · L1Findings
3 High3 Medium5 Low
HighEntrypoint Build Divergencecli.js
HighObfuscated Payload Loaderdist/tools/dev/index.js
HighObfuscated
MediumDynamic Requiredist/metadataengine/MetadataEngine.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License