registry  /  @zeppos/zpm  /  3.4.2

@zeppos/zpm@3.4.2

zpm is a tool that is zepp package manager

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 2.30 MB of source, external domains: docs.zepp.com, emscripten.org, github.com, upload-cdn.zepp.com

Source & flagged code

6 flagged · loading source
lib/node.jsView file
1/*! For license information please see node.js.LICENSE.txt */ L2: (()=>{var __webpack_modules__={898(A,e,t){var i;i||="undefined"!=typeof Png2TgaModule?Png2TgaModule:{};var n=Object.assign({},i),r="object"==typeof window,o="function"==typeof impo...
High
Child Process

Package source references child process execution.

lib/node.jsView on unpkg · L1
1/*! For license information please see node.js.LICENSE.txt */ L2: (()=>{var __webpack_modules__={898(A,e,t){var i;i||="undefined"!=typeof Png2TgaModule?Png2TgaModule:{};var n=Object.assign({},i),r="object"==typeof window,o="function"==typeof impo...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/node.jsView on unpkg · L1
1/*! For license information please see node.js.LICENSE.txt */ L2: (()=>{var __webpack_modules__={898(A,e,t){var i;i||="undefined"!=typeof Png2TgaModule?Png2TgaModule:{};var n=Object.assign({},i),r="object"==typeof window,o="function"==typeof impo...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/node.jsView on unpkg · L1
1/*! For license information please see node.js.LICENSE.txt */ L2: (()=>{var __webpack_modules__={898(A,e,t){var i;i||="undefined"!=typeof Png2TgaModule?Png2TgaModule:{};var n=Object.assign({},i),r="object"==typeof window,o="function"==typeof impo...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

lib/node.jsView on unpkg · L1
1/*! For license information please see node.js.LICENSE.txt */ L2: (()=>{var __webpack_modules__={898(A,e,t){var i;i||="undefined"!=typeof Png2TgaModule?Png2TgaModule:{};var n=Object.assign({},i),r="object"==typeof window,o="function"==typeof impo...
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/node.jsView on unpkg · L1
bin/qjsc_darwinView file
path = bin/qjsc_darwin kind = native_binary sizeBytes = 1128136 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/qjsc_darwinView on unpkg

Findings

5 High5 Medium5 Low
HighChild Processlib/node.js
HighSame File Env Network Executionlib/node.js
HighCommand Output Exfiltrationlib/node.js
HighObfuscated Payload Loaderlib/node.js
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarybin/qjsc_darwin
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvallib/node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings