registry  /  @wular/coder  /  0.1.24

@wular/coder@0.1.24

Delegating coding-agent runtime

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 374 KB of source, external domains: json-schema.org, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/lib/broker.jsView file
1#!/usr/bin/env node L2: var T$=Object.defineProperty;var Q1=($,W)=>{for(var q in W)T$($,q,{get:W[q],enumerable:!0,configurable:!0,set:(Z)=>W[q]=()=>Z})};import u from"node:fs";import W1 from"node:net";imp... L3: `,"utf8"),Q}function K$($,W){let q=L.join(R($,W),"job.json");if(!O.existsSync(q))return null;try{return JSON.parse(O.readFileSync(q,"utf8"))}catch{return null}}function A1($,W){let...
High
Child Process

Package source references child process execution.

dist/lib/broker.jsView on unpkg · L1
dist/cli.jsView file
1#!/usr/bin/env node L2: var nz=Object.defineProperty;var br=(r,i)=>{for(var $ in i)nz(r,$,{get:i[$],enumerable:!0,configurable:!0,set:(u)=>i[$]=()=>u})};import Jr from"node:process";import $i from"node:fs... L3: `,"utf8"),g}function Gr(r,i){let $=kr.join(C(r,i),"job.json");if(!p.existsSync($))return null;try{return JSON.parse(p.readFileSync($,"utf8"))}catch{return null}}function pv(r,i){le... L4: `,"utf8")}function Sr(r,i,$=40){let u=kr.join(C(r,i),"log.jsonl");if(!p.existsSync(u))return[];return p.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-$).map((v)=>{tr... L5: `))}if(!$?.checkedAt||Date.now()-$.checkedAt>zz)try{kz(Nn.execPath,[i,"_refreshUpdate"],{detached:!0,stdio:"ignore"}).unref()}catch{}}async function y_(r){let $=C_()?.latest??null;...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var nz=Object.defineProperty;var br=(r,i)=>{for(var $ in i)nz(r,$,{get:i[$],enumerable:!0,configurable:!0,set:(u)=>i[$]=()=>u})};import Jr from"node:process";import $i from"node:fs... L3: `,"utf8"),g}function Gr(r,i){let $=kr.join(C(r,i),"job.json");if(!p.existsSync($))return null;try{return JSON.parse(p.readFileSync($,"utf8"))}catch{return null}}function pv(r,i){le... L4: `,"utf8")}function Sr(r,i,$=40){let u=kr.join(C(r,i),"log.jsonl");if(!p.existsSync(u))return[];return p.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-$).map((v)=>{tr... L5: `))}if(!$?.checkedAt||Date.now()-$.checkedAt>zz)try{kz(Nn.execPath,[i,"_refreshUpdate"],{detached:!0,stdio:"ignore"}).unref()}catch{}}async function y_(r){let $=C_()?.latest??null;...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var nz=Object.defineProperty;var br=(r,i)=>{for(var $ in i)nz(r,$,{get:i[$],enumerable:!0,configurable:!0,set:(u)=>i[$]=()=>u})};import Jr from"node:process";import $i from"node:fs... L3: `,"utf8"),g}function Gr(r,i){let $=kr.join(C(r,i),"job.json");if(!p.existsSync($))return null;try{return JSON.parse(p.readFileSync($,"utf8"))}catch{return null}}function pv(r,i){le... L4: `,"utf8")}function Sr(r,i,$=40){let u=kr.join(C(r,i),"log.jsonl");if(!p.existsSync(u))return[];return p.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-$).map((v)=>{tr... L5: `))}if(!$?.checkedAt||Date.now()-$.checkedAt>zz)try{kz(Nn.execPath,[i,"_refreshUpdate"],{detached:!0,stdio:"ignore"}).unref()}catch{}}async function y_(r){let $=C_()?.latest??null;... L6: `)}function M(r,i={}){let $=typeof i==="number"?i:i.code??1,u=typeof i==="object"?i.hint:null,n=u==null?[]:Array.isArray(u)?u:[u];if(Xr.stderr.write(`${r} ... L25: `)} L26: `}function vu(r){let i=r.indexOf("--"),$=i===-1?r:r.slice(0,i);return $.includes("-h")||$.includes("--help")}import yr from"node:fs";import fi from"node:path";import f from"node:pr... L27: `,"utf8")}async function uu(r,i,{timeoutMs:$,onEvent:u}){l
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.jsView on unpkg · L1
35`,$=this.socket;if(!$)throw Error("codex app-server broker connection is not connected.");$.write(i)}}class wn{static async connect(r,i={}){let $=null;if(!i.disableBroker){if($=i.b... L36: `)}function k$(r,i=72){let $=String(r??"").trim().replace(/\s+/g," ");if(!$)return"";if($.length<=i)return $;return`${$.slice(0,i-3)}...`}function az(r){let i=k$(r,56);return i?`${... L37: `)}var Vn=(r)=>(i,$,u,n)=>{let v=u?{...u,async:!1}:{async:!1},g=i._zod.run({value:$,issues:[]},v);if(g instanceof Promise)throw new Kr;if(g.issues.length){let U=new(n?.Err??r)(g.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L35

Findings

4 High3 Medium7 Low
HighChild Processdist/lib/broker.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated Payload Loaderdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License