Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/client-DeHvk634.jsView file
128const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX));
L129: if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" });
L130: }
...
L339: }
L340: async exec(machineId, command, options) {
L341: const [result] = await this.dispatchExec(command, {
...
L352: async dispatchExecDetailed(command, options) {
L353: const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, {
L354: method: "POST",
...
L357: if (!response.ok) {
L358: const body = await response.text();
L359: throw parseErrorResponse(response.status, body, void 0, response.headers);
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/client-DeHvk634.jsView on unpkg · L128128Trigger-reachable chain: manifest.main -> dist/index.js -> dist/client-DeHvk634.js
L128: const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX));
L129: if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" });
L130: }
...
L339: }
L340: async exec(machineId, command, options) {
L341: const [result] = await this.dispatchExec(command, {
...
L352: async dispatchExecDetailed(command, options) {
L353: const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, {
L354: method: "POST",
...
L357: if (!response.ok) {
L358: const body = await response.text();
L359: throw parseErrorResponse(response.status, body, void 0, response.headers);
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/client-DeHvk634.jsView on unpkg · L1281041const [{ existsSync, readFileSync }, { homedir }, { join }] = await Promise.all([
L1042: import("node:fs"),
L1043: import("node:os"),
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/client-DeHvk634.jsView on unpkg · L1041Findings
2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/client-DeHvk634.js
CriticalTrigger Reachable Dangerous Capabilitydist/client-DeHvk634.js
MediumDynamic Requiredist/client-DeHvk634.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings