registry  /  @wular/coder  /  0.1.7

@wular/coder@0.1.7

Delegating coding-agent runtime

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsEvalFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 344 KB of source, external domains: json-schema.org

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
1#!/usr/bin/env node L2: var _c=Object.defineProperty;var zr=(r,i)=>{for(var v in i)_c(r,v,{get:i[v],enumerable:!0,configurable:!0,set:(u)=>i[v]=()=>u})};import h from"node:fs";import F from"node:path";imp... L3: `,"utf8"),t}function Zr(r,i){let v=gr.join(rr(r,i),"job.json");if(!lr.existsSync(v))return null;try{return JSON.parse(lr.readFileSync(v,"utf8"))}catch{return null}}function i$(r){l... ... L14: `).filter(($)=>$),u=Math.min(...v.map(($)=>$.length-$.trimStart().length)),n=v.map(($)=>$.slice(u)).map(($)=>" ".repeat(this.indent*2)+$);for(let $ of n)this.content.push($)}compil... L15: `))}}var Wu={major:4,minor:4,patch:3};var L=c("$ZodType",(r,i)=>{var v;r??(r={}),r._zod.def=i,r._zod.bag=r._zod.bag||{},r._zod.version=Wu;let u=[...r._zod.def.checks??[]];if(r._zod... L16: if (${q}.issues.length) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var _c=Object.defineProperty;var zr=(r,i)=>{for(var v in i)_c(r,v,{get:i[v],enumerable:!0,configurable:!0,set:(u)=>i[v]=()=>u})};import h from"node:fs";import F from"node:path";imp... L3: `,"utf8"),t}function Zr(r,i){let v=gr.join(rr(r,i),"job.json");if(!lr.existsSync(v))return null;try{return JSON.parse(lr.readFileSync(v,"utf8"))}catch{return null}}function i$(r){l... L4: `,"utf8")}function $$(r,i,v=40){let u=gr.join(rr(r,i),"log.jsonl");if(!lr.existsSync(u))return[];return lr.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map(($)=>... L5: `,"utf8")}function jc(r){let i=t$(r);if(T.existsSync(i))T.unlinkSync(i)}async function qc(r){if(!r)return!1;try{return await q6(r,150)}catch{return!1}}async function Y6(r,i={}){let... L6: ${$.stdout}`.trim();if(!$.error&&Qc(t))return{attempted:!0,delivered:!1,method:"taskkill",result:$};if($.error?.code==="ENOENT")try{return n(r),{attempted:!0,delivered:!0,method:"k... ... L14: `).filter(($)=>$),u=Math.min(...v.map(($)=>$.length-$.trimStart().length)),n=v.map(($)=>$.slice(u)).map(($)=>" ".repeat(this.indent*2)+$);for(let $ of n)this.content.push($)}compil... L15: `))}}var Wu={major:4,minor:4,patch:3};
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var _c=Object.defineProperty;var zr=(r,i)=>{for(var v in i)_c(r,v,{get:i[v],enumerable:!0,configurable:!0,set:(u)=>i[v]=()=>u})};import h from"node:fs";import F from"node:path";imp... L3: `,"utf8"),t}function Zr(r,i){let v=gr.join(rr(r,i),"job.json");if(!lr.existsSync(v))return null;try{return JSON.parse(lr.readFileSync(v,"utf8"))}catch{return null}}function i$(r){l... L4: `,"utf8")}function $$(r,i,v=40){let u=gr.join(rr(r,i),"log.jsonl");if(!lr.existsSync(u))return[];return lr.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map(($)=>... L5: `,"utf8")}function jc(r){let i=t$(r);if(T.existsSync(i))T.unlinkSync(i)}async function qc(r){if(!r)return!1;try{return await q6(r,150)}catch{return!1}}async function Y6(r,i={}){let... L6: ${$.stdout}`.trim();if(!$.error&&Qc(t))return{attempted:!0,delivered:!1,method:"taskkill",result:$};if($.error?.code==="ENOENT")try{return n(r),{attempted:!0,delivered:!0,method:"k... ... L14: `).filter(($)=>$),u=Math.min(...v.map(($)=>$.length-$.trimStart().length)),n=v.map(($)=>$.slice(u)).map(($)=>" ".repeat(this.indent*2)+$);for(let $ of n)this.content.push($)}compil... L15: `))}}var Wu={major:4,minor:4,patch:3};
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.jsView on unpkg · L1
11`,v=this.socket;if(!v)throw Error("codex app-server broker connection is not connected.");v.write(i)}}class Cr{static async connect(r,i={}){let v=null;if(!i.disableBroker){if(v=i.b... L12: `)}function Oi(r,i=72){let v=String(r??"").trim().replace(/\s+/g," ");if(!v)return"";if(v.length<=i)return v;return`${v.slice(0,i-3)}...`}function ec(r){let i=Oi(r,56);return i?`${... L13: `)}var ar=(r)=>(i,v,u,n)=>{let $=u?{...u,async:!1}:{async:!1},t=i._zod.run({value:v,issues:[]},$);if(t instanceof Promise)throw new _r;if(t.issues.length){let o=new(n?.Err??r)(t.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L11

Findings

3 High2 Medium7 Low
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated Payload Loaderdist/cli.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License