registry  /  callmux  /  0.24.0

callmux@0.24.0

Multiplexer for MCP tool calls — parallel execution, batching, caching, and pipelining for any MCP server

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 682 KB of source, external domains: 127.0.0.1, api.slack.com, brave.com, github.com, id.example.com, mcp.example.com, raw.githubusercontent.com, www.apple.com

Source & flagged code

2 flagged · loading source
dist/redact.jsView file
20patternName = generic_password severity = medium line = 20 matchedText = url.pass...d]";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/redact.jsView on unpkg · L20
dist/daemon.jsView file
matchType = previous_version_dangerous_delta matchedPackage = callmux@0.23.2 matchedIdentity = npm:Y2FsbG11eA:0.23.2 similarity = 0.868 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/daemon.jsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/daemon.js
MediumSecret Patterndist/redact.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings