Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStrings
Source & flagged code
2 flagged · loading sourceindex.cjs.jsView file
50this file except in compliance with the License. You may obtain a copy of the
L51: License at http://www.apache.org/licenses/LICENSE-2.0
L52:
...
L2546: }
L2547: this.ws.send(message);
L2548: }
...
L2862: } else if (_instanceof$2(event.data, Blob)) {
L2863: event.data.arrayBuffer().then(function(buf) {
L2864: return _this.handleBinaryMessage(new Uint8Array(buf));
...
L3355: *
L3356: * Use this for non-interactive commands where you want captured stdout/stderr
L3357: * back as a `CommandFinished` result, or a live `Command` handle when
Critical
Remote Asset Decode Execute
Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
index.cjs.jsView on unpkg · L50node.cjs.jsView file
•Trigger-reachable chain: manifest.main -> node.cjs.js
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
node.cjs.jsView on unpkgFindings
2 Critical1 High3 Medium2 Low
CriticalRemote Asset Decode Executeindex.cjs.js
CriticalTrigger Reachable Dangerous Capabilitynode.cjs.js
HighChild Process
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings