Static Scan Results
scanned 9d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/client-BZSkXIEp.jsView file
128const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX));
L129: if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" });
L130: }
...
L309: }
L310: async exec(machineId, command, options) {
L311: const [result] = await this.dispatchExec(command, {
...
L322: async dispatchExecDetailed(command, options) {
L323: const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, {
L324: method: "POST",
...
L327: if (!response.ok) {
L328: const body = await response.text();
L329: throw parseErrorResponse(response.status, body, void 0, response.headers);
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/client-BZSkXIEp.jsView on unpkg · L128128Trigger-reachable chain: manifest.main -> dist/index.js -> dist/client-BZSkXIEp.js
L128: const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX));
L129: if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" });
L130: }
...
L309: }
L310: async exec(machineId, command, options) {
L311: const [result] = await this.dispatchExec(command, {
...
L322: async dispatchExecDetailed(command, options) {
L323: const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, {
L324: method: "POST",
...
L327: if (!response.ok) {
L328: const body = await response.text();
L329: throw parseErrorResponse(response.status, body, void 0, response.headers);
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/client-BZSkXIEp.jsView on unpkg · L128991const [{ existsSync, readFileSync }, { homedir }, { join }] = await Promise.all([
L992: import("node:fs"),
L993: import("node:os"),
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/client-BZSkXIEp.jsView on unpkg · L991Findings
2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/client-BZSkXIEp.js
CriticalTrigger Reachable Dangerous Capabilitydist/client-BZSkXIEp.js
MediumDynamic Requiredist/client-BZSkXIEp.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings