Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
4 flagged · loading sourceindex.jsView file
8const _ = require('lodash');
L9: const exec = require('child_process').exec;
L10:
High
index.es.mjsView file
4L5: global._conf = (await import(path.join(process.env.XUDA_HOME, "common", "load_conf.mjs"))).loadConf();
L6:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
index.es.mjsView on unpkg · L4index.mjsView file
2import _ from 'lodash';
L3: import { exec } from 'child_process';
L4: import uniqid from 'uniqid';
...
L7:
L8: global._conf = (await import(path.join(process.env.XUDA_HOME, "common", "load_conf.mjs"))).loadConf();
L9:
...
L16: const _common = await import(path.join(process.env.XUDA_HOME, 'common', 'xuda_node_common.mjs'));
L17: // This package bundles its OWN nano (v11 = undici on dev+eu, which dropped
L18: // requestDefaults and warns on it). Detect the local major so couch_nano_extra
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
index.mjsView on unpkg · L2package.jsonView file
•Runtime dependency names matching Node built-ins: child_process
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
4 High3 Medium3 Low
HighChild Processindex.js
HighShell
HighSame File Env Network Executionindex.mjs
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requireindex.es.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings