registry  /  cresc-server  /  2026.7.5-9b69b5a2

cresc-server@2026.7.5-9b69b5a2

⚠ Under review

Static Scan Results

scanned 23m ago · by rust-scanner

Static analysis flagged 22 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 19 file(s), 3.30 MB of source, external domains: accounts.google.com, admin.cresc.dev, api.cresc.app, api.cresc.dev, api.github.com, api.nodemailer.com, app.cresc.dev, cdn.jsdelivr.net, cresc.dev, dl.cresc.dev, docs.stripe.com, ethereal.email, github.com, invoice.stripe.com, json-schema.org, mail.google.com, mths.be, nodejs.org, nodemailer.com, oauth2.googleapis.com, openidconnect.googleapis.com, prettier.io, pushy.reactnative.cn, react.dev, registry.npmjs.org, schemas.agentskills.io, stripe.com, update.react-native.cn, update.reactnative.cn, www.apple.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
lib/chunk-06b24emx.js2.30 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinifiedUrlStringsdl.cresc.devmths.be
lib/chunk-k04cn85w.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

13 flagged · loading source
lib/index.jsView file
256patternName = generic_password severity = medium line = 256 matchedText = \u2022 \...resc
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/index.jsView on unpkg · L256
229`),console.warn(PY.valibot);break;case"effect":if(F9.effect)break;F9.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L230: `),console.warn(PY.effect);break}if(W==="arktype")return O9(Z?.toJsonSchema?.());return O9(Z.toJSONSchema?.()??Z?.toJsonSchema?.())}catch(X){console.warn(X)}},O9=(Z)=>{if(!Z||typeo... L231:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L229
2// @bun L3: import{A as rN,B as oN,C as pN,D as iN,b as H9,c as zB,d as h9,e as WN,f as Y9,g as vW,h as v0,i as KN,j as UW,k as DW,l as I8,m as iW,n as V8,o as sW,p as nN,q as y0,r as A0,s as ... L4: Supported algorithms are: L5: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,L8="secret must be a string or buffer",Z8="key must be a str... L6: <html lang="en"> ... L229: `),console.warn(PY.valibot);break;case"effect":if(F9.effect)break;F9.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L230: `),console.warn(PY.effect);break}if(W==="arktype")return O9(Z?.toJsonSchema?.());return O9(Z.toJSONSchema?.()??Z?.toJsonSchema?.())}catch(X){console.warn(X)}},O9=(Z)=>{if(!Z||typeo... L231: L232: Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.`)}for(let Q of Z.seen.entries()){let G=Q[1];if(J===Q[0]){z(Q);continue}if(Z.external){let B=Z.exter... L233: `)){let z=X.indexOf(HG);if(z<0)continue;let Q=X.slice(z+HG.length).trim();if(!Q)continue;try{let G=JSON.parse(Q);if(!yD(G)){W++;continue}if(qG(G.message)){Y++;continue}J.push
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/index.jsView on unpkg · L2
lib/chunk-3vz2sygz.jsView file
1// @bun L2: import{spawnSync as b}from"child_process";import{accessSync as S,constants as y,existsSync as G,readdirSync as v,readFileSync as V,writeFileSync as j}from"fs";import R from"os";imp... L3:
High
Child Process

Package source references child process execution.

lib/chunk-3vz2sygz.jsView on unpkg · L1
lib/chunk-eqeah73x.jsView file
71L72: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}tk.exports=ok});var Iq=P((_q)=>{var Aq=p("os"),vA=p("path"),Lq=Aq.tmpdir(),QV=p... L73:
High
Shell

Package source references shell execution.

lib/chunk-eqeah73x.jsView on unpkg · L71
1// @bun L2: import{Z as gV,ga as nV,ha as sX,ia as fC,ja as lX,ka as rX,la as oX,ma as tX,na as sC,pa as eX,qa as rC,ra as Hz}from"./chunk-84e5ry5g.js";import{$a as D9,Bb as lC,ab as JH,bb as ... L3: loaded from: `+H+` ... L15: `),this.stream.write(this.lastDraw)};J_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var LL=P((bD)=>{Object.defineProperty(bD,"__esModule",{value:!0});function Za(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/chunk-eqeah73x.jsView on unpkg · L1
3loaded from: `+H+` L4: `);function D(x){var B=FD(wA.join(x,"prebuilds")).map(M5),C=B.filter(h5(zD,XD)).sort(K5)[0];if(!C)return;var c=wA.join(x,"prebuilds",C.name),R=FD(c).map(k5),G=R.filter(q5(WD,c5)),S... L5: * mime-types ... L13: * MIT Licensed L14: */RG=BG.exports=J_;function J_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.stream.write(this.lastDraw)};J_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var LL=P((bD)=>{Object.defineProperty(bD,"__esModule",{value:!0});function Za(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-eqeah73x.jsView on unpkg · L3
1Cross-file remote execution chain: lib/chunk-eqeah73x.js spawns lib/index.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{Z as gV,ga as nV,ha as sX,ia as fC,ja as lX,ka as rX,la as oX,ma as tX,na as sC,pa as eX,qa as rC,ra as Hz}from"./chunk-84e5ry5g.js";import{$a as D9,Bb as lC,ab as JH,bb as ... L3: loaded from: `+H+` L4: `);function D(x){var B=FD(wA.join(x,"prebuilds")).map(M5),C=B.filter(h5(zD,XD)).sort(K5)[0];if(!C)return;var c=wA.join(x,"prebuilds",C.name),R=FD(c).map(k5),G=R.filter(q5(WD,c5)),S... L5: * mime-types ... L9: */var ME=i5(),Qz=p("path").extname,N5=/^\s*([^;\s]*)(?:;|\s|$)/,iz=/^text\//i;pz.charset=Y5;pz.charsets={lookup:Y5};pz.contentType=Nz;pz.extension=Yz;pz.extensions=Object.create(nu... L10: `;hH.DEFAULT_CONTENT_TYPE="application/octet-stream";hH.prototype.append=function(H,T,A){if(A=A||{},typeof A==="string")A={filename:A};var L=yD.prototype.append.bind(this);if(typeo... L11: * node-progress ... L13: * MIT Licensed L14: */RG=BG.exports=J_;function J_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.strea…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-eqeah73x.jsView on unpkg · L1
89@#[line:`+H.lineNumber+",col:"+H.columnNumber+"]"}function gJ(H,T,A){if(typeof H=="string")return H.substr(T,A);else{if(H.length>=T+A||T)return new java.lang.String(H,T,A)+"";retur... L90: `,q.offset=(i=$.offset)!=null?i:0,q.width=(Q=$.width)!=null?Q:0,q.dontPrettyTextNodes=(h=(k=$.dontPrettyTextNodes)!=null?k:$.dontprettytextnodes)!=null?h:0,q.spaceBeforeSlash=(W=(N... L91: `+A.join(`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-eqeah73x.jsView on unpkg · L89
lib/chunk-b7tsve87.jsView file
42`).concat(`\r L43: `)}function SK($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===vX&&J){let Y=f8($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L44: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}createSocket($,Z,X){let Q={...Z,secureEndpoint:this.isSecureEndpoint(Z)};Promise.resolve().then(()=>this.c...
Critical
Protestware

Package source matches protestware-related patterns.

lib/chunk-b7tsve87.jsView on unpkg · L42
29patternName = generic_password severity = medium line = 29 matchedText = `),typeo...ion.
Medium
Secret Pattern

Hardcoded password in lib/chunk-b7tsve87.js

lib/chunk-b7tsve87.jsView on unpkg · L29
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-k04cn85w.jsView file
path = lib/chunk-k04cn85w.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-k04cn85w.jsView on unpkg

Findings

1 Critical7 High7 Medium7 Low
CriticalProtestwarelib/chunk-b7tsve87.js
HighChild Processlib/chunk-3vz2sygz.js
HighShelllib/chunk-eqeah73x.js
HighSame File Env Network Executionlib/chunk-eqeah73x.js
HighCommand Output Exfiltrationlib/chunk-eqeah73x.js
HighCross File Remote Execution Contextlib/chunk-eqeah73x.js
HighObfuscated
HighOversized Source Filelib/chunk-k04cn85w.js
MediumSecret Patternlib/index.js
MediumDynamic Requirelib/chunk-eqeah73x.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/chunk-b7tsve87.js
LowScripts Present
LowEvallib/index.js
LowWeak Cryptolib/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License