registry  /  cresc-server  /  2026.7.1-626e4435

cresc-server@2026.7.1-626e4435

⚠ Under review

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 18 file(s), 4.90 MB of source, external domains: accounts.google.com, admin.cresc.dev, api.cresc.app, api.cresc.dev, api.github.com, api.nodemailer.com, app.cresc.dev, cdn.jsdelivr.net, cresc.dev, docs.stripe.com, ely.sia, ethereal.email, github.com, invoice.stripe.com, jira.mariadb.org, json-schema.org, mail.google.com, mths.be, nodejs.org, nodemailer.com, oauth2.googleapis.com, openidconnect.googleapis.com, prettier.io, pris.ly, pushy.reactnative.cn, react.dev, registry.npmjs.org, s.io, stripe.com, sts.aliyuncs.com, update.react-native.cn, update.reactnative.cn, www.apple.com, www.googleapis.com, www.prisma.io, www.w3.org
Oversized source lightweight scan
lib/chunk-rnb20zq9.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

13 flagged · loading source
lib/index.jsView file
4causes have become circular...`;let J=_J(Y);if(J)return Z.add(Y),X+` L5: caused by: `+V6(J,Z);else return X},CU=(Y)=>V6(Y,new Set),U6=(Y,Z,X)=>{if(!k8(Y))return"";let J=X?"":Y.message||"";if(Z.has(Y))return J+": ...";let Q=_J(Y);if(Q){Z.add(Y);let G=typ... L6: ${M}`,j=`,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/index.jsView on unpkg · L4
278patternName = generic_password severity = medium line = 278 matchedText = \u2022 \...}`);
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/index.jsView on unpkg · L278
251`),console.warn(W5.valibot);break;case"effect":if(P9.effect)break;P9.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L252: `),console.warn(W5.effect);break}if(J==="arktype")return T9(Y?.toJsonSchema?.());return T9(Y.toJSONSchema?.()??Y?.toJsonSchema?.())}catch(Q){console.warn(Q)}},T9=(Y)=>{if(!Y||typeo... L253:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L251
4causes have become circular...`;let J=_J(Y);if(J)return Z.add(Y),X+` L5: caused by: `+V6(J,Z);else return X},CU=(Y)=>V6(Y,new Set),U6=(Y,Z,X)=>{if(!k8(Y))return"";let J=X?"":Y.message||"";if(Z.has(Y))return J+": ...";let Q=_J(Y);if(Q){Z.add(Y);let G=typ... L6: ${M}`,j=`, ... L22: ${F}${k} L23: ${M}`;return O.pop(),`{${k}}`}case"number":return isFinite(N)?String(N):Z?Z(N):"null";case"boolean":return N===!0?"true":"false";case"undefined":return;case"bigint":if(J)return Str... L24: `:` ... L26: Supported algorithms are: L27: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,u8="secret must be a string or buffer",V8="key must be a str... L28: <html lang="en"> ... L277: \u2022 \u603B\u8BA1\u83B7\u5F97 ${$+30} \u5929 ${Z} \u670D\u52A1 L278: \u2022 \u5230\u671F\u65F6\u95F4\uFF1A${z.format("YYYY-MM-DD")}`;return console.log(q),{newExpiryDate:z.toDate(),paymentAmount:A,transferredDays:$,explanation:q}}var AV=new f({prefi... L279:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/index.jsView on unpkg · L4
lib/pm2Bootstrap.jsView file
2// @bun L3: import{spawnSync as k}from"child_process";import{accessSync as j,constants as M,existsSync as l,readdirSync as N,readFileSync as _,writeFileSync as h}from"fs";import m from"os";imp... L4:
High
Child Process

Package source references child process execution.

lib/pm2Bootstrap.jsView on unpkg · L2
lib/chunk-b4sfa5z6.jsView file
71L72: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}Vk.exports=uk});var gk=i((nk)=>{var dk=p("os"),dA=p("path"),yk=dk.tmpdir(),ap=p... L73:
High
Shell

Package source references shell execution.

lib/chunk-b4sfa5z6.jsView on unpkg · L71
3loaded from: `+H+` L4: `);function D(x){var B=iD(pA.join(x,"prebuilds")).map(D5),C=B.filter(x5(JD,$D)).sort(R5)[0];if(!C)return;var c=pA.join(x,"prebuilds",C.name),R=iD(c).map(B5),G=R.filter(C5(qD,H5)),h... L5: * mime-types ... L13: * MIT Licensed L14: */LG=_G.exports=K_;function K_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.stream.write(this.lastDraw)};K_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var LL=i((mD)=>{Object.defineProperty(mD,"__esModule",{value:!0});function KX(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-b4sfa5z6.jsView on unpkg · L3
1Cross-file remote execution chain: lib/chunk-b4sfa5z6.js spawns lib/index.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{$ as Np,S as wp,ba as bP,ca as fP,da as sP,fa as lP,ga as fC}from"./chunk-01hady57.js";import{$a as xz,Ha as lH,Ia as iH,Ja as HO,Ka as i4,La as fF,Ma as J0,Na as pF,Oa as K... L3: loaded from: `+H+` L4: `);function D(x){var B=iD(pA.join(x,"prebuilds")).map(D5),C=B.filter(x5(JD,$D)).sort(R5)[0];if(!C)return;var c=pA.join(x,"prebuilds",C.name),R=iD(c).map(B5),G=R.filter(C5(qD,H5)),h... L5: * mime-types ... L9: */var hE=Z5(),ZW=p("path").extname,P5=/^\s*([^;\s]*)(?:;|\s|$)/,PW=/^text\//i;OW.charset=W5;OW.charsets={lookup:W5};OW.contentType=WW;OW.extension=XW;OW.extensions=Object.create(nu... L10: `;MH.DEFAULT_CONTENT_TYPE="application/octet-stream";MH.prototype.append=function(H,T,A){if(A=A||{},typeof A==="string")A={filename:A};var L=VD.prototype.append.bind(this);if(typeo... L11: * node-progress ... L13: * MIT Licensed L14: */LG=_G.exports=K_;function K_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.strea…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-b4sfa5z6.jsView on unpkg · L1
lib/chunk-skq9q7q8.jsView file
1// @bun L2: import{tb as $0}from"./chunk-d4jncwmk.js";import{ub as Y0}from"./chunk-kpetkf2p.js";/*! ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> */var $1=... L3: `,"\r","\t"," ","\x00"].some((J)=>this.checkString(J,{offset:6})))return{ext:"vtt",mime:"text/vtt"};if(this.check([137,80,78,71,13,10,26,10]))return z1(G);if(this.check([65,82,82,7...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-skq9q7q8.jsView on unpkg · L1
lib/chunk-tbgk1w4j.jsView file
20`).concat(`\r L21: `)}function AW($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===NX&&J){let Y=hZ($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L22: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}createSocket($,Z,X){let Q={...Z,secureEndpoint:this.isSecureEndpoint(Z)};Promise.resolve().then(()=>this.c...
Critical
Protestware

Package source matches protestware-related patterns.

lib/chunk-tbgk1w4j.jsView on unpkg · L20
7patternName = generic_password severity = medium line = 7 matchedText = `),typeo...ion.
Medium
Secret Pattern

Hardcoded password in lib/chunk-tbgk1w4j.js

lib/chunk-tbgk1w4j.jsView on unpkg · L7
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-rnb20zq9.jsView file
path = lib/chunk-rnb20zq9.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-rnb20zq9.jsView on unpkg

Findings

1 Critical7 High7 Medium6 Low
CriticalProtestwarelib/chunk-tbgk1w4j.js
HighChild Processlib/pm2Bootstrap.js
HighShelllib/chunk-b4sfa5z6.js
HighSame File Env Network Executionlib/index.js
HighCommand Output Exfiltrationlib/chunk-b4sfa5z6.js
HighCross File Remote Execution Contextlib/chunk-b4sfa5z6.js
HighObfuscated
HighOversized Source Filelib/chunk-rnb20zq9.js
MediumSecret Patternlib/index.js
MediumDynamic Requirelib/chunk-skq9q7q8.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/chunk-tbgk1w4j.js
LowEvallib/index.js
LowWeak Cryptolib/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License