Static Scan Results
scanned 1h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
36try {
L37: return JSON.stringify(redactForLog(JSON.parse(body)));
L38: } catch {
...
L104: function registryUrl(pkg) {
L105: return `https://registry.npmjs.org/${pkg.replace("/", "%2F")}/latest`;
L106: }
...
L123: try {
L124: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8");
L125: return JSON.parse(raw);
...
L150: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0;
L151: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m
L152: `);
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L3636Trigger-reachable chain: manifest.bin -> dist/index.js
L36: try {
L37: return JSON.stringify(redactForLog(JSON.parse(body)));
L38: } catch {
...
L104: function registryUrl(pkg) {
L105: return `https://registry.npmjs.org/${pkg.replace("/", "%2F")}/latest`;
L106: }
...
L123: try {
L124: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8");
L125: return JSON.parse(raw);
...
L150: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0;
L151: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m
L152: `);
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L36692L693: await import(pathToFileURL(resolve(here, ${JSON.stringify(spec.buildPath)})).href);
L694: `;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L692Findings
2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License