Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStrings
NoLicenseWildcardDependency
Source & flagged code
2 flagged · loading sourcedist/services/event-service.jsView file
15const node_crypto_1 = __importDefault(require("node:crypto"));
L16: const promises_1 = __importDefault(require("node:dns/promises"));
L17: const pool_helpers_js_1 = require("../pool-helpers.js");
...
L39: ]);
L40: /** Check if an IP matches any blocked private/reserved range. */
L41: function isBlockedIp(ip) {
...
L142: tenant_id: event.tenant_id,
L143: data: event.data,
L144: created_at: event.created_at,
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/services/event-service.jsView on unpkg · L15dist/telemetry.jsView file
20package = @stratum-hq/lib; repositoryIdentity = stratum; dependency = @opentelemetry/api
L20: // eslint-disable-next-line @typescript-eslint/no-require-imports
L21: otel = require("@opentelemetry/api");
L22: }
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/telemetry.jsView on unpkg · L20Findings
2 High4 Medium4 Low
HighCloud Metadata Accessdist/services/event-service.js
HighCopied Package Dependency Bridgedist/telemetry.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License