Static Scan Results
scanned 9d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcebuild/program-BwnVUFVS.jsView file
1import { createRequire } from "node:module";
L2: import { exec, spawn } from "node:child_process";
L3: import * as path$1 from "node:path";
High
Child Process
Package source references child process execution.
build/program-BwnVUFVS.jsView on unpkg · L11829if (process$3.versions?.electron) parseOptions.from = "electron";
L1830: const execArgv = process$3.execArgv ?? [];
L1831: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
11708const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start \"\"" : "xdg-open";
L11709: exec(`${cmd} "${url}"`, (err) => {
L11710: if (err) process.stderr.write(`Could not open browser (${cmd}): ${err.message}\n`);
L11711: });
...
L11717: function togglOAuthLocalRedirectUri(port = TOGGL_OAUTH_CALLBACK_PORT) {
L11718: return `http://localhost:${port}/callback`;
L11719: }
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
build/program-BwnVUFVS.jsView on unpkg · L1170825759}
L25760: if (viaNpx) throw new Error(`Running via npx does not update a global install. Run \`npx ${getPublicPackageSpec()}\`, or install globally with:\n npm install -g ${getPublicPackage...
L25761: const { command, args } = buildGlobalInstallCommand(detectPackageManager());
L25762: await new Promise((resolve, reject) => {
L25763: const child = spawn(command, args, { stdio: "inherit" });
L25764: child.on("error", (err) => {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
build/program-BwnVUFVS.jsView on unpkg · L25759Findings
4 High3 Medium5 Low
HighChild Processbuild/program-BwnVUFVS.js
HighShellbuild/program-BwnVUFVS.js
HighCommand Output Exfiltrationbuild/program-BwnVUFVS.js
HighRuntime Package Installbuild/program-BwnVUFVS.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License