registry  /  @xuda.io/misc_module  /  1.1.539

@xuda.io/misc_module@1.1.539

Xuda Misc Server Module

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 147 KB of source, external domains: api.cloudflare.com, github.com, googleads.googleapis.com, graph.facebook.com, mcp.gotopanel.com, mcp.xuda.dev, oauth2.googleapis.com, registry.npmjs.org, www.npmjs.com, xuda.ai

Source & flagged code

5 flagged · loading source
1patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L1: OPENAI_API_KEY=<redacted:56 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L1
index.mjsView file
10import os from 'os'; L11: import { execFile } from 'child_process'; L12: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

index.mjsView on unpkg · L10
4import { OpenAI } from 'openai'; L5: import dns from 'node:dns'; L6: import fse from 'fs-extra'; ... L10: import os from 'os'; L11: import { execFile } from 'child_process'; L12: import { promisify } from 'util'; ... L15: L16: global._conf = (await import(path.join(process.env.XUDA_HOME, "common", "load_conf.mjs"))).loadConf(); L17:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.mjsView on unpkg · L4
4import { OpenAI } from 'openai'; L5: import dns from 'node:dns'; L6: import fse from 'fs-extra'; ... L10: import os from 'os'; L11: import { execFile } from 'child_process'; L12: import { promisify } from 'util'; ... L15: L16: global._conf = (await import(path.join(process.env.XUDA_HOME, "common", "load_conf.mjs"))).loadConf(); L17: ... L44: code: 1, L45: data: data, L46: });
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

index.mjsView on unpkg · L4
index_ms.mjsView file
8L9: const { MessageBroker } = await import(path.join(process.env.XUDA_HOME, 'common', 'ms_broker.mjs')); L10:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index_ms.mjsView on unpkg · L8

Findings

1 Critical4 High3 Medium4 Low
CriticalCritical Secret.env
HighChild Processindex.mjs
HighShell
HighSame File Env Network Executionindex.mjs
HighCredential Exfiltrationindex.mjs
MediumDynamic Requireindex_ms.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings