registry  /  @vibgrate/cli  /  2026.630.3

@vibgrate/cli@2026.630.3

⚠ Under review

CLI for measuring upgrade drift across Node, .NET, Python & Java projects

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 13 file(s), 892 KB of source, external domains: adoptium.net, api.github.com, api.nuget.org, api.osv.dev, api.vibgrate.com, artifacthub.io, crates.io, docs.vibgrate.com, dotnet.microsoft.com, github.com, go.dev, hex.pm, hub.docker.com, openvex.dev, owasp.org, proxy.golang.org, pub.dev, pypi.org, raw.githubusercontent.com, registry.npmjs.org, registry.terraform.io, repo.packagist.org, rubygems.org, search.maven.org, spdx.org, spec.openapis.org, vibgrate.com, www.aicpa-cima.com, www.apache.org, www.iso.org, www.nist.gov, www.python.org, www.rfc-editor.org
Oversized source lightweight scan
dist/hcs-worker.js18.5 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsUrlStringswww.apache.org

Source & flagged code

10 flagged · loading source
dist/chunk-F3VR44AL.jsView file
1import {Za}from'./chunk-NHYABBIJ.js';import*as s from'path';import {Command}from'commander';import r from'chalk';import {execFile}from'child_process';import*as i from'fs/promises';... L2: `,"utf8");}async function E(e,t){await m(s.dirname(e)),await i.writeFile(e,t,"utf8");}var n;async function f(){if(n!==void 0)return n??void 0;try{n=(await import('./dist-L4434H3J.j...
High
Child Process

Package source references child process execution.

dist/chunk-F3VR44AL.jsView on unpkg · L1
dist/hcs-wasm/vibgrate_hcs_wasm.jsView file
445const wasmPath = `${__dirname}/vibgrate_hcs_wasm_bg.wasm`; L446: const wasmBytes = require('fs').readFileSync(wasmPath); L447: const wasmModule = new WebAssembly.Module(wasmBytes);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hcs-wasm/vibgrate_hcs_wasm.jsView on unpkg · L445
dist/cli.jsView file
1#!/usr/bin/env node L2: import'./chunk-BSZ73KTR.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-F3VR44AL.js';import {b,Ua,Fa,Xa,Wa,Va,Za,Ta}from'./chunk-NHYABBIJ.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
33... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>","Input artifact file",".vibgrate/scan_result.json").option("--forma... L35: `)),process.exit(1)),e$1.push(...await mr(r));}e$1.push(...t.statement);let n=fr({author:t.author,defaultProduct:t.product,timestamp:t.timestamp,id:t.id,statements:e$1}),o=JSON.str...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L33
1#!/usr/bin/env node L2: import'./chunk-BSZ73KTR.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-F3VR44AL.js';import {b,Ua,Fa,Xa,Wa,Va,Za,Ta}from'./chunk-NHYABBIJ.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(` ... L33: ... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>","Input artifact file",".vibgrate/scan_result.json").option("--forma... L35: `)),process.exit(1)),e$1.push(...await mr(r));}e$1.push(...t.st
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1Cross-file remote execution chain: dist/cli.js spawns dist/chunk-BSZ73KTR.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import'./chunk-BSZ73KTR.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-F3VR44AL.js';import {b,Ua,Fa,Xa,Wa,Va,Za,Ta}from'./chunk-NHYABBIJ.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(` ... L33: ... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>",…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1
dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasmView file
path = dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasm kind = wasm_module sizeBytes = 2161245 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasmView on unpkg
dist/hcs-worker.jsView file
path = dist/hcs-worker.js kind = oversized_source_file sizeBytes = 19407933 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/hcs-worker.jsView on unpkg
path = dist/hcs-worker.js kind = oversized_cli_entrypoint sizeBytes = 19407933 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/hcs-worker.jsView on unpkg
dist/chunk-NHYABBIJ.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @vibgrate/cli@2026.630.4 matchedIdentity = npm:QHZpYmdyYXRlL2NsaQ:2026.630.4 similarity = 0.769 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/chunk-NHYABBIJ.jsView on unpkg

Findings

1 Critical6 High7 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/chunk-NHYABBIJ.js
HighChild Processdist/chunk-F3VR44AL.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighCross File Remote Execution Contextdist/cli.js
HighOversized Source Filedist/hcs-worker.js
MediumDynamic Requiredist/hcs-wasm/vibgrate_hcs_wasm.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/hcs-wasm/vibgrate_hcs_wasm_bg.wasm
MediumOversized Cli Entrypointdist/hcs-worker.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License