registry  /  arcanajs  /  6.1.0

arcanajs@6.1.0

ArcanaJS Framework

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscated
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 2.47 MB of source

Source & flagged code

8 flagged · loading source
dist/development/cli/index.jsView file
1453}); L1454: const _child_process = __webpack_require__(/*! child_process */ "child_process"); L1455: const _fs = /*#__PURE__*/ _interop_require_default(__webpack_require__(/*! fs */ "fs"));
High
Child Process

Package source references child process execution.

dist/development/cli/index.jsView on unpkg · L1453
14084const _global = global; L14085: const nativeRequire = _global["process"]?.["mainModule"]?.["require"]; L14086: if (nativeRequire) {
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/development/cli/index.jsView on unpkg · L14084
13Cross-file remote execution chain: dist/development/cli/index.js spawns dist/development/lib/client/hmr-client.js; helper contains network access plus dynamic code execution. L13: this file except in compliance with the License. You may obtain a copy of the L14: License at http://www.apache.org/licenses/LICENSE-2.0 L15: ... L91: var _WeakMap = typeof WeakMap === "function" ? WeakMap : CreateWeakMapPolyfill(); L92: var registrySymbol = supportsSymbol ? Symbol.for("@reflect-metadata:registry") : undefined; L93: var metadataRegistry = GetOrCreateMetadataRegistry(); ... L1453: }); L1454: const _child_process = __webpack_require__(/*! child_process */ "child_process"); L1455: const _fs = /*#__PURE__*/ _interop_require_default(__webpack_require__(/*! fs */ "fs")); ... L1505: */ async build(options = {}) { L1506: process.env.NODE_ENV = "production"; L1507: this.buildStartTime = Date.now();
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/development/cli/index.jsView on unpkg · L13
2161case "yarn": L2162: return `yarn add ${pkgList}`; L2163: case "pnpm": ... L2175: try { L2176: (0, _child_process.execSync)(installCmd, { L2177: stdio: "inherit"
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/development/cli/index.jsView on unpkg · L2161
14062// Use eval to avoid Webpack bundling L14063: const r = eval("module.require"); L14064: if (r) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/development/cli/index.jsView on unpkg · L14062
bin/arcanajs.jsView file
2L3: require("../dist/cli/index.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/arcanajs.jsView on unpkg · L2
dist/production/arcanajs.min.jsView file
1(()=>{var __webpack_modules__={190:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),Object.defineProperty(t,"ClassScanner",{enumerable:!0,get:function(){retu... L2: //# sourceMappingURL=arcanajs.min.js.map
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/production/arcanajs.min.jsView on unpkg · L1
dist/lib/validation/ValidationException.d.tsView file
14patternName = generic_password severity = medium line = 14 matchedText = * pass...eak'
Medium
Secret Pattern

Hardcoded password in dist/lib/validation/ValidationException.d.ts

dist/lib/validation/ValidationException.d.tsView on unpkg · L14

Findings

5 High5 Medium5 Low
HighChild Processdist/development/cli/index.js
HighSame File Env Network Executiondist/production/arcanajs.min.js
HighObfuscated Payload Loaderdist/development/cli/index.js
HighCross File Remote Execution Contextdist/development/cli/index.js
HighRuntime Package Installdist/development/cli/index.js
MediumDynamic Requirebin/arcanajs.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/lib/validation/ValidationException.d.ts
LowScripts Present
LowEvaldist/development/cli/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings