registry  /  cresc-server  /  2026.7.4-f911d9a5

cresc-server@2026.7.4-f911d9a5

⚠ Under review

Static Scan Results

scanned 18h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 20 file(s), 4.91 MB of source, external domains: accounts.google.com, admin.cresc.dev, api.cresc.app, api.cresc.dev, api.github.com, api.nodemailer.com, app.cresc.dev, cdn.jsdelivr.net, cresc.dev, docs.stripe.com, ely.sia, ethereal.email, github.com, invoice.stripe.com, jira.mariadb.org, json-schema.org, mail.google.com, mths.be, nodejs.org, nodemailer.com, oauth2.googleapis.com, openidconnect.googleapis.com, prettier.io, pris.ly, pushy.reactnative.cn, react.dev, registry.npmjs.org, s.io, schemas.agentskills.io, stripe.com, sts.aliyuncs.com, update.react-native.cn, update.reactnative.cn, www.apple.com, www.googleapis.com, www.prisma.io, www.w3.org
Oversized source lightweight scan
lib/chunk-nnqzwvaj.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

13 flagged · loading source
lib/index.jsView file
278patternName = generic_password severity = medium line = 278 matchedText = \u2022 \...resc
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/index.jsView on unpkg · L278
251`),console.warn(W5.valibot);break;case"effect":if(P9.effect)break;P9.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L252: `),console.warn(W5.effect);break}if(J==="arktype")return T9(Y?.toJsonSchema?.());return T9(Y.toJSONSchema?.()??Y?.toJsonSchema?.())}catch(w){console.warn(w)}},T9=(Y)=>{if(!Y||typeo... L253:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L251
4causes have become circular...`;let J=SJ(Y);if(J)return Z.add(Y),X+` L5: caused by: `+U7(J,Z);else return X},IV=(Y)=>U7(Y,new Set),V7=(Y,Z,X)=>{if(!k8(Y))return"";let J=X?"":Y.message||"";if(Z.has(Y))return J+": ...";let w=SJ(Y);if(w){Z.add(Y);let Q=typ... L6: ${M}`,j=`, ... L22: ${q}${x} L23: ${M}`;return F.pop(),`{${x}}`}case"number":return isFinite(N)?String(N):Z?Z(N):"null";case"boolean":return N===!0?"true":"false";case"undefined":return;case"bigint":if(J)return Str... L24: `:` ... L26: Supported algorithms are: L27: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,u8="secret must be a string or buffer",U8="key must be a str... L28: <html lang="en"> ... L277: \u2022 \u603B\u8BA1\u83B7\u5F97 ${$+30} \u5929 ${Z} \u670D\u52A1 L278: \u2022 \u5230\u671F\u65F6\u95F4\uFF1A${z.format("YYYY-MM-DD")}`;return console.log(V),{newExpiryDate:z.toDate(),paymentAmount:B,transferredDays:$,explanation:V}}var BU=new R({prefi... L279:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/index.jsView on unpkg · L4
lib/chunk-hc32ajha.jsView file
15`),this.stream.write(this.lastDraw)};k_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var _L=P((mD)=>{Object.defineProperty(mD,"__esModule",{value:!0});function qX(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Child Process

Package source references child process execution.

lib/chunk-hc32ajha.jsView on unpkg · L15
71L72: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}vk.exports=jk});var sk=P((fk)=>{var bk=V("os"),yA=V("path"),nk=bk.tmpdir(),JV=p... L73:
High
Shell

Package source references shell execution.

lib/chunk-hc32ajha.jsView on unpkg · L71
1// @bun L2: import{V as YV,ca as VV,ea as lW,fa as rW,ga as oW,ia as tW,ja as sC}from"./chunk-2me8sm3f.js";import{$a as AL,Ka as rH,La as PH,Ma as AO,Na as ih,Oa as lF,Pa as U0,Qa as uF,Ra as ... L3: loaded from: `+H+` ... L15: `),this.stream.write(this.lastDraw)};k_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var _L=P((mD)=>{Object.defineProperty(mD,"__esModule",{value:!0});function qX(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/chunk-hc32ajha.jsView on unpkg · L1
3loaded from: `+H+` L4: `);function D(x){var B=PD(pA.join(x,"prebuilds")).map(B5),C=B.filter(C5(UD,JD)).sort(G5)[0];if(!C)return;var c=pA.join(x,"prebuilds",C.name),R=PD(c).map(h5),G=R.filter(M5($D,L5)),h... L5: * mime-types ... L13: * MIT Licensed L14: */EG=cG.exports=k_;function k_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.stream.write(this.lastDraw)};k_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var _L=P((mD)=>{Object.defineProperty(mD,"__esModule",{value:!0});function qX(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-hc32ajha.jsView on unpkg · L3
1Cross-file remote execution chain: lib/chunk-hc32ajha.js spawns lib/index.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{V as YV,ca as VV,ea as lW,fa as rW,ga as oW,ia as tW,ja as sC}from"./chunk-2me8sm3f.js";import{$a as AL,Ka as rH,La as PH,Ma as AO,Na as ih,Oa as lF,Pa as U0,Qa as uF,Ra as ... L3: loaded from: `+H+` L4: `);function D(x){var B=PD(pA.join(x,"prebuilds")).map(B5),C=B.filter(C5(UD,JD)).sort(G5)[0];if(!C)return;var c=pA.join(x,"prebuilds",C.name),R=PD(c).map(h5),G=R.filter(M5($D,L5)),h... L5: * mime-types ... L9: */var hE=X5(),ii=V("path").extname,z5=/^\s*([^;\s]*)(?:;|\s|$)/,Xi=/^text\//i;Ni.charset=F5;Ni.charsets={lookup:F5};Ni.contentType=zi;Ni.extension=Fi;Ni.extensions=Object.create(nu... L10: `;SH.DEFAULT_CONTENT_TYPE="application/octet-stream";SH.prototype.append=function(H,T,A){if(A=A||{},typeof A==="string")A={filename:A};var L=uD.prototype.append.bind(this);if(typeo... L11: * node-progress ... L13: * MIT Licensed L14: */EG=cG.exports=k_;function k_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.strea…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-hc32ajha.jsView on unpkg · L1
89@#[line:`+H.lineNumber+",col:"+H.columnNumber+"]"}function t7(H,T,A){if(typeof H=="string")return H.substr(T,A);else{if(H.length>=T+A||T)return new java.lang.String(H,T,A)+"";retur... L90: `,q.offset=(Q=J.offset)!=null?Q:0,q.width=(O=J.width)!=null?O:0,q.dontPrettyTextNodes=(M=(k=J.dontPrettyTextNodes)!=null?k:J.dontprettytextnodes)!=null?M:0,q.spaceBeforeSlash=(a=(N... L91: `+A.join(`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-hc32ajha.jsView on unpkg · L89
lib/chunk-07wgkxcy.jsView file
20`).concat(`\r L21: `)}function AW($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===NX&&J){let Y=hZ($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L22: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}createSocket($,Z,X){let Q={...Z,secureEndpoint:this.isSecureEndpoint(Z)};Promise.resolve().then(()=>this.c...
Critical
Protestware

Package source matches protestware-related patterns.

lib/chunk-07wgkxcy.jsView on unpkg · L20
7patternName = generic_password severity = medium line = 7 matchedText = `),typeo...ion.
Medium
Secret Pattern

Hardcoded password in lib/chunk-07wgkxcy.js

lib/chunk-07wgkxcy.jsView on unpkg · L7
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-nnqzwvaj.jsView file
path = lib/chunk-nnqzwvaj.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-nnqzwvaj.jsView on unpkg

Findings

1 Critical7 High7 Medium6 Low
CriticalProtestwarelib/chunk-07wgkxcy.js
HighChild Processlib/chunk-hc32ajha.js
HighShelllib/chunk-hc32ajha.js
HighSame File Env Network Executionlib/chunk-hc32ajha.js
HighCommand Output Exfiltrationlib/chunk-hc32ajha.js
HighCross File Remote Execution Contextlib/chunk-hc32ajha.js
HighObfuscated
HighOversized Source Filelib/chunk-nnqzwvaj.js
MediumSecret Patternlib/index.js
MediumDynamic Requirelib/chunk-hc32ajha.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/chunk-07wgkxcy.js
LowEvallib/index.js
LowWeak Cryptolib/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License