registry  /  @wular/coder  /  0.2.3

@wular/coder@0.2.3

Delegating coding-agent runtime

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 392 KB of source, external domains: 127.0.0.1, json-schema.org, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/lib/broker.jsView file
1#!/usr/bin/env node L2: var A$=Object.defineProperty;var X1=($,W)=>{for(var q in W)A$($,q,{get:W[q],enumerable:!0,configurable:!0,set:(Z)=>W[q]=()=>Z})};import u from"node:fs";import q1 from"node:net";imp... L3: `,"utf8"),Q}function z$($){if(!$.engine&&($.agent==="codex"||$.agent==="claude"))$.engine=$.agent;return $}function u$($,W){let q=N.join(f($,W),"job.json");if(!V.existsSync(q))retu...
High
Child Process

Package source references child process execution.

dist/lib/broker.jsView on unpkg · L1
dist/cli.jsView file
1#!/usr/bin/env node L2: var Gz=Object.defineProperty;var Mr=(r,$)=>{for(var v in $)Gz(r,v,{get:$[v],enumerable:!0,configurable:!0,set:(u)=>$[v]=()=>u})};import Wr from"node:process";import _$ from"node:fs... L3: `,"utf8"),g}function i1(r){if(!r.engine&&(r.agent==="codex"||r.agent==="claude"))r.engine=r.agent;return r}function Tr(r,$){let v=h.join(o(r,$),"job.json");if(!d.existsSync(v))retu... L4: `,"utf8")}function Ar(r,$,v=40){let u=h.join(o(r,$),"log.jsonl");if(!d.existsSync(u))return[];return d.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map((i)=>{try... L5:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var Gz=Object.defineProperty;var Mr=(r,$)=>{for(var v in $)Gz(r,v,{get:$[v],enumerable:!0,configurable:!0,set:(u)=>$[v]=()=>u})};import Wr from"node:process";import _$ from"node:fs... L3: `,"utf8"),g}function i1(r){if(!r.engine&&(r.agent==="codex"||r.agent==="claude"))r.engine=r.agent;return r}function Tr(r,$){let v=h.join(o(r,$),"job.json");if(!d.existsSync(v))retu... L4: `,"utf8")}function Ar(r,$,v=40){let u=h.join(o(r,$),"log.jsonl");if(!d.existsSync(u))return[];return d.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map((i)=>{try... L5:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var Gz=Object.defineProperty;var Mr=(r,$)=>{for(var v in $)Gz(r,v,{get:$[v],enumerable:!0,configurable:!0,set:(u)=>$[v]=()=>u})};import Wr from"node:process";import _$ from"node:fs... L3: `,"utf8"),g}function i1(r){if(!r.engine&&(r.agent==="codex"||r.agent==="claude"))r.engine=r.agent;return r}function Tr(r,$){let v=h.join(o(r,$),"job.json");if(!d.existsSync(v))retu... L4: `,"utf8")}function Ar(r,$,v=40){let u=h.join(o(r,$),"log.jsonl");if(!d.existsSync(u))return[];return d.readFileSync(u,"utf8").split(/\r?\n/).filter(Boolean).slice(-v).map((i)=>{try... L5: L6: `))}if(!v?.checkedAt||Date.now()-v.checkedAt>Fz)try{Tz(On.execPath,[$,"_refreshUpdate"],{detached:!0,stdio:"ignore"}).unref()}catch{}}async function _1(r){let v=g1()?.latest??null;... L7: `)}function G(r,$={}){let v=typeof $==="number"?$:$.code??1,u=typeof $==="object"?$.hint:null,n=u==null?[]:Array.isArray(u)?u:[u];if(qr.stderr.write(`${r} ... L36: `)} L37: `}function Ov(r){let $=r.indexOf("--"),v=$===-1?r:r.slice(0,$);return v.includes("-h")||v.includes("--help")}import er from"node:fs";import nv from"node:path";import f from"node:pr... L38: `,"utf8")}async function Ku(r,$,{timeoutMs:v,onEvent:
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.jsView on unpkg · L1
46`,v=this.socket;if(!v)throw Error("codex app-server broker connection is not connected.");v.write($)}}class Kn{static async connect(r,$={}){let v=null;if(!$.disableBroker){if(v=$.b... L47: `)}function wv(r,$=72){let v=String(r??"").trim().replace(/\s+/g," ");if(!v)return"";if(v.length<=$)return v;return`${v.slice(0,$-3)}...`}function VN(r){let $=wv(r,56);return $?`${... L48: `)}var Gn=(r)=>($,v,u,n)=>{let i=u?{...u,async:!1}:{async:!1},g=$._zod.run({value:v,issues:[]},i);if(g instanceof Promise)throw new Lr;if(g.issues.length){let I=new(n?.Err??r)(g.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L46

Findings

4 High3 Medium7 Low
HighChild Processdist/lib/broker.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated Payload Loaderdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License