registry  /  channel-worker  /  2.5.38

channel-worker@2.5.38

⚠ Under review

Channel Manager worker daemon — runs on remote machines to execute video pipeline jobs

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 376 KB of source, external domains: 127.0.0.1, affiliate.shopee.vn, api.channel.tunasm.art, down-vn.img.susercontent.com, registry.npmjs.org, shopee.vn, studio.youtube.com, www.facebook.com, www.youtube.com

Source & flagged code

4 flagged · loading source
bin/cli.jsView file
137// Spawn detached background process and exit L138: const { spawn } = require('child_process'); L139: const LOG_FILE = path.join(CONFIG_DIR, 'daemon.log');
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L137
2L3: const fs = require('fs'); L4: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.jsView on unpkg · L2
lib/updater.jsView file
29console.log(`[updater] Installing ${PKG_NAME}@${version}...`); L30: execSync(`npm install -g ${PKG_NAME}@${version}`, { stdio: 'inherit' }); L31: console.log(`[updater] Installed ${PKG_NAME}@${version}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/updater.jsView on unpkg · L29
scripts/upload_facebook_photo.jsView file
matchType = previous_version_dangerous_delta matchedPackage = channel-worker@2.5.35 matchedIdentity = npm:Y2hhbm5lbC13b3JrZXI:2.5.35 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/upload_facebook_photo.jsView on unpkg

Findings

1 Critical2 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/upload_facebook_photo.js
HighChild Processbin/cli.js
HighRuntime Package Installlib/updater.js
MediumDynamic Requirebin/cli.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings