registry  /  @wular/coder  /  0.1.8

@wular/coder@0.1.8

Delegating coding-agent runtime

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 348 KB of source, external domains: json-schema.org, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
1#!/usr/bin/env node L2: var VU=Object.defineProperty;var Nr=(r,i)=>{for(var v in i)VU(r,v,{get:i[v],enumerable:!0,configurable:!0,set:(u)=>i[v]=()=>u})};import d from"node:fs";import x from"node:path";imp... L3: `,"utf8"),t}function er(r,i){let v=Ir.join(ir(r,i),"job.json");if(!lr.existsSync(v))return null;try{return JSON.parse(lr.readFileSync(v,"utf8"))}catch{return null}}function t$(r){l... ... L14: `).filter(($)=>$),u=Math.min(...v.map(($)=>$.length-$.trimStart().length)),n=v.map(($)=>$.slice(u)).map(($)=>" ".repeat(this.indent*2)+$);for(let $ of n)this.content.push($)}compil... L15: `))}}var Xu={major:4,minor:4,patch:3};var L=U("$ZodType",(r,i)=>{var v;r??(r={}),r._zod.def=i,r._zod.bag=r._zod.bag||{},r._zod.version=Xu;let u=[...r._zod.def.checks??[]];if(r._zod... L16: if (${q}.issues.length) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var VU=Object.defineProperty;var Nr=(r,i)=>{for(var v in i)VU(r,v,{get:i[v],enumerable:!0,configurable:!0,set:(u)=>i[v]=()=>u})};import d from"node:fs";import x from"node:path";imp... L3: `,"utf8"),t}function er(r,i){let v=Ir.join(ir(r,i),"job.json");if(!lr.existsSync(v))return null;try{return JSON.parse(lr.readFileSync(v,"utf8"))}catch{return null}}function t$(r){l... L4: `,"utf8")}function o$(r,i,v=40){let u=Ir.join(ir(r,i),"log.jsonl");if(!lr.existsSync(u))return[];return lr.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map(($)=>... L5: `,"utf8")}function ZU(r){let i=l$(r);if(F.existsSync(i))F.unlinkSync(i)}async function fU(r){if(!r)return!1;try{return await B6(r,150)}catch{return!1}}async function M6(r,i={}){let... L6: ${$.stdout}`.trim();if(!$.error&&CU(t))return{attempted:!0,delivered:!1,method:"taskkill",result:$};if($.error?.code==="ENOENT")try{return n(r),{attempted:!0,delivered:!0,method:"k... ... L14: `).filter(($)=>$),u=Math.min(...v.map(($)=>$.length-$.trimStart().length)),n=v.map(($)=>$.slice(u)).map(($)=>" ".repeat(this.indent*2)+$);for(let $ of n)this.content.push($)}compil... L15: `))}}var Xu={major:4,minor:4,patch:3};
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var VU=Object.defineProperty;var Nr=(r,i)=>{for(var v in i)VU(r,v,{get:i[v],enumerable:!0,configurable:!0,set:(u)=>i[v]=()=>u})};import d from"node:fs";import x from"node:path";imp... L3: `,"utf8"),t}function er(r,i){let v=Ir.join(ir(r,i),"job.json");if(!lr.existsSync(v))return null;try{return JSON.parse(lr.readFileSync(v,"utf8"))}catch{return null}}function t$(r){l... L4: `,"utf8")}function o$(r,i,v=40){let u=Ir.join(ir(r,i),"log.jsonl");if(!lr.existsSync(u))return[];return lr.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map(($)=>... L5: `,"utf8")}function ZU(r){let i=l$(r);if(F.existsSync(i))F.unlinkSync(i)}async function fU(r){if(!r)return!1;try{return await B6(r,150)}catch{return!1}}async function M6(r,i={}){let... L6: ${$.stdout}`.trim();if(!$.error&&CU(t))return{attempted:!0,delivered:!1,method:"taskkill",result:$};if($.error?.code==="ENOENT")try{return n(r),{attempted:!0,delivered:!0,method:"k... ... L14: `).filter(($)=>$),u=Math.min(...v.map(($)=>$.length-$.trimStart().length)),n=v.map(($)=>$.slice(u)).map(($)=>" ".repeat(this.indent*2)+$);for(let $ of n)this.content.push($)}compil... L15: `))}}var Xu={major:4,minor:4,patch:3};
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.jsView on unpkg · L1
11`,v=this.socket;if(!v)throw Error("codex app-server broker connection is not connected.");v.write(i)}}class yr{static async connect(r,i={}){let v=null;if(!i.disableBroker){if(v=i.b... L12: `)}function Pi(r,i=72){let v=String(r??"").trim().replace(/\s+/g," ");if(!v)return"";if(v.length<=i)return v;return`${v.slice(0,i-3)}...`}function n_(r){let i=Pi(r,56);return i?`${... L13: `)}var rn=(r)=>(i,v,u,n)=>{let $=u?{...u,async:!1}:{async:!1},t=i._zod.run({value:v,issues:[]},$);if(t instanceof Promise)throw new _r;if(t.issues.length){let g=new(n?.Err??r)(t.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L11

Findings

3 High3 Medium7 Low
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated Payload Loaderdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License