registry  /  @unclesaliva/java-ai-debugger  /  1.1.13

@unclesaliva/java-ai-debugger@1.1.13

⚠ Under review

Java AI Debugger — MCP server (TypeScript) for remote JVM debugging via JDWP

Static Scan Results

scanned 40m ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 83.7 KB of source, external domains: 127.0.0.1

Source & flagged code

6 flagged · loading source
dist/stop.jsView file
44exports.stopCommand = stopCommand; L45: const node_child_process_1 = require("node:child_process"); L46: const os = __importStar(require("node:os"));
High
Child Process

Package source references child process execution.

dist/stop.jsView on unpkg · L44
dist/cli.jsView file
49const fs = __importStar(require("node:fs")); L50: const http = __importStar(require("node:http")); L51: const net = __importStar(require("node:net")); L52: const os = __importStar(require("node:os")); L53: const node_child_process_1 = require("node:child_process"); L54: const setup_js_1 = require("./setup.js"); ... L60: function printHelp() { L61: process.stdout.write(`java-ai-debugger v${VERSION} L62:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L49
lib/debug-core-0.2.0-SNAPSHOT.jarView file
path = lib/debug-core-0.2.0-SNAPSHOT.jar kind = high_entropy_blob sizeBytes = 173963 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

lib/debug-core-0.2.0-SNAPSHOT.jarView on unpkg
path = lib/debug-core-0.2.0-SNAPSHOT.jar kind = compressed_blob sizeBytes = 173963 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

lib/debug-core-0.2.0-SNAPSHOT.jarView on unpkg
path = lib/debug-core-0.2.0-SNAPSHOT.jar kind = nested_archive_needs_inspection sizeBytes = 173963 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

lib/debug-core-0.2.0-SNAPSHOT.jarView on unpkg
dist/autostart.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @unclesaliva/java-ai-debugger@1.1.3 matchedIdentity = npm:[redacted]:1.1.3 similarity = 0.375 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/autostart.jsView on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/autostart.js
HighChild Processdist/stop.js
HighCommand Output Exfiltrationdist/cli.js
HighShips High Entropy Bloblib/debug-core-0.2.0-SNAPSHOT.jar
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Bloblib/debug-core-0.2.0-SNAPSHOT.jar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionlib/debug-core-0.2.0-SNAPSHOT.jar