registry  /  @zuplo/editor  /  1.0.28518247271

@zuplo/editor@1.0.28518247271

⚠ Under review

Local development editor for the Zuplo CLI

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 147 file(s), 5.23 MB of source, external domains: api.zuplo.com, bugzilla.mozilla.org, cdn.zuplo.com, code.google.com, commonmark.org, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, example.com, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, mcp-proxy.zuplo.io, r12a.github.io, radix-ui.com, react.dev, sass-lang.com, schema.org, stackoverflow.com, status.zuplo.com, support.google.com, techdocs.akamai.com, tools.ietf.org, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org, zup.fail, zuplo.com
Oversized source lightweight scan
dist/client/static/js/editor.api2-Cyvs_pkb.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
dist/client/static/js/main.local-DnyCsbfc.js2.90 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsexample.comstatus.zuplo.comtechdocs.akamai.comzuplo.com
dist/client/static/ts.worker-DFduhuek.js6.58 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

3 flagged · loading source
dist/client/static/js/codemirror-DtW92bSi.jsView file
7contains invisible/control Unicode U+200B (zero width space) height: `+(r-t)+`px`))}function d(t,n,r){var a=R(i,t),o=a.text.length,d,f;function p(n,r){return jr(e,B(t,n),`div`,a,r)}function m(t,n,r){var i=Lr(e,a,null,t),o=n==`ltr`==(r==`after`)?`left`:`right`;return p(r==
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/client/static/js/codemirror-DtW92bSi.jsView on unpkg · L7
dist/client/zuplo.apngView file
path = dist/client/zuplo.apng kind = high_entropy_blob sizeBytes = 231750 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/zuplo.apngView on unpkg
dist/client/static/js/editor.api2-Cyvs_pkb.jsView file
path = dist/client/static/js/editor.api2-Cyvs_pkb.js kind = oversized_source_file sizeBytes = 3626778 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/client/static/js/editor.api2-Cyvs_pkb.jsView on unpkg

Findings

1 Critical2 High3 Medium5 Low
CriticalTrojan Source Unicodedist/client/static/js/codemirror-DtW92bSi.js
HighShips High Entropy Blobdist/client/zuplo.apng
HighOversized Source Filedist/client/static/js/editor.api2-Cyvs_pkb.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings