registry  /  @zuplo/editor  /  1.0.28656552919

@zuplo/editor@1.0.28656552919

⚠ Under review

Local development editor for the Zuplo CLI

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 147 file(s), 5.23 MB of source, external domains: api.zuplo.com, bugzilla.mozilla.org, cdn.zuplo.com, code.google.com, commonmark.org, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, mcp-proxy.zuplo.io, r12a.github.io, radix-ui.com, react.dev, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org, zup.fail, zuplo.com
Oversized source lightweight scan
dist/client/static/js/editor.api2-Cyvs_pkb.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
dist/client/static/js/main.local-DkprZ9xX.js2.89 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireMinifiedUrlStringszuplo.com
dist/client/static/ts.worker-DFduhuek.js6.58 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

3 flagged · loading source
dist/client/static/js/codemirror-DtW92bSi.jsView file
7contains invisible/control Unicode U+200B (zero width space) height: `+(r-t)+`px`))}function d(t,n,r){var a=R(i,t),o=a.text.length,d,f;function p(n,r){return jr(e,B(t,n),`div`,a,r)}function m(t,n,r){var i=Lr(e,a,null,t),o=n==`ltr`==(r==`after`)?`left`:`right`;return p(r==
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/client/static/js/codemirror-DtW92bSi.jsView on unpkg · L7
dist/client/zuplo.apngView file
path = dist/client/zuplo.apng kind = high_entropy_blob sizeBytes = 231750 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/zuplo.apngView on unpkg
dist/client/static/js/editor.api2-Cyvs_pkb.jsView file
path = dist/client/static/js/editor.api2-Cyvs_pkb.js kind = oversized_source_file sizeBytes = 3626778 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/client/static/js/editor.api2-Cyvs_pkb.jsView on unpkg

Findings

1 Critical2 High4 Medium5 Low
CriticalTrojan Source Unicodedist/client/static/js/codemirror-DtW92bSi.js
HighShips High Entropy Blobdist/client/zuplo.apng
HighOversized Source Filedist/client/static/js/editor.api2-Cyvs_pkb.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings