registry  /  cresc-server  /  2026.7.5-3baaf3a3

cresc-server@2026.7.5-3baaf3a3

⚠ Under review

Static Scan Results

scanned 16h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 20 file(s), 4.91 MB of source, external domains: accounts.google.com, admin.cresc.dev, api.cresc.app, api.cresc.dev, api.github.com, api.nodemailer.com, app.cresc.dev, cdn.jsdelivr.net, cresc.dev, docs.stripe.com, ely.sia, ethereal.email, github.com, invoice.stripe.com, jira.mariadb.org, json-schema.org, mail.google.com, mths.be, nodejs.org, nodemailer.com, oauth2.googleapis.com, openidconnect.googleapis.com, prettier.io, pris.ly, pushy.reactnative.cn, react.dev, registry.npmjs.org, s.io, schemas.agentskills.io, stripe.com, sts.aliyuncs.com, update.react-native.cn, update.reactnative.cn, www.apple.com, www.googleapis.com, www.prisma.io, www.w3.org
Oversized source lightweight scan
lib/chunk-zmxzceeq.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

13 flagged · loading source
lib/chunk-dt4svk6m.jsView file
20`).concat(`\r L21: `)}function AW($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===NX&&J){let Y=hZ($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L22: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}createSocket($,Z,X){let Q={...Z,secureEndpoint:this.isSecureEndpoint(Z)};Promise.resolve().then(()=>this.c...
Critical
Protestware

Package source matches protestware-related patterns.

lib/chunk-dt4svk6m.jsView on unpkg · L20
7patternName = generic_password severity = medium line = 7 matchedText = `),typeo...ion.
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/chunk-dt4svk6m.jsView on unpkg · L7
lib/chunk-wbz3bjbz.jsView file
47`+Z.prev+Z.base;return J+w2.call(X,","+J)+` L48: `+Z.prev}function NY(X,Z){var J=hz(X),W=[];if(J){W.length=X.length;for(var Y=0;Y<X.length;Y++)W[Y]=u2(X,Y)?Z(X[Y],X):""}var $=typeof gz==="function"?gz(X):[],Q;if(d7){Q={};for(var ... L49: * statuses
High
Child Process

Package source references child process execution.

lib/chunk-wbz3bjbz.jsView on unpkg · L47
40*/var kd=/["'&<>]/;mN.exports=Cd;function Cd(X){var Z=""+X,J=kd.exec(Z);if(!J)return Z;var W,Y="",$=0,Q=0;for($=J.index;$<Z.length;$++){switch(Z.charCodeAt($)){case 34:W="&quot;";b... L41: * is-extendable <https://github.com/jonschlinkert/is-extendable> L42: * ... L47: `+Z.prev+Z.base;return J+w2.call(X,","+J)+` L48: `+Z.prev}function NY(X,Z){var J=hz(X),W=[];if(J){W.length=X.length;for(var Y=0;Y<X.length;Y++)W[Y]=u2(X,Y)?Z(X[Y],X):""}var $=typeof gz==="function"?gz(X):[],Q;if(d7){Q={};for(var ... L49: * statuses
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/chunk-wbz3bjbz.jsView on unpkg · L40
26* Available under MIT license L27: */(function(){var X={function:!0,object:!0},Z=X[typeof window]&&window||this,J=Z,W=X[typeof QY]&&QY,Y=X[typeof jZ]&&jZ&&!jZ.nodeType&&jZ,$=W&&Y&&typeof global=="object"&&global;if(... L28: * copy-to - index.js
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-wbz3bjbz.jsView on unpkg · L26
2import{Cb as k$}from"./chunk-dt4svk6m.js";import{Gb as Du,Ib as wJ}from"./chunk-tps8je68.js";import{Jb as B2,Kb as k,Lb as d9,Nb as X1}from"./chunk-k07b9z9j.js";var aU=k((_A1,oU)=>... L3: `},headless:!1,chunkSize:1e4,emptyTag:"",cdata:!1}}}).call(eU)});var Y2=k((XH,E9)=>{(function(){var X,Z,J,W,Y,$,Q,w=[].slice,z={}.hasOwnProperty;X=function(){var G,D,H,B,N,K;if(K=a... L4: `,F.offset=(h=j.offset)!=null?h:0,F.dontPrettyTextNodes=(T=(_=j.dontPrettyTextNodes)!=null?_:j.dontprettytextnodes)!=null?T:0,F.spaceBeforeSlash=(P=(O=j.spaceBeforeSlash)!=null?O:j... L5: `||V==="\r"||V==="\t"}function A(V){return V==='"'||V==="'"}function E(V){return V===">"||F(V)}function h(V,L){return V.test(L)}function T(V,L){return!h(V,L)}var _=0;X.STATE={BEGIN... ... L30: * MIT Licensed L31: */var Ou=Array.prototype.slice;pB.exports=$2;function $2(X,Z){if(!(this instanceof $2))return new $2(X,Z);this.src=X,this._withAccess=Z}$2.prototype.withAccess=function(X){return t... L32: GFS4: `),console.error(X)};if(!e0[r4]){if(Vz=global[r4]||[],VN(e0,Vz),e0.close=function(X){function Z(J,W){return X.call(e0,J,function(Y){if(!Y)_N();if(typeof W==="function")W.appl... ... L47: `+Z.prev+Z.base;return J+w2.call(X,",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/chunk-wbz3bjbz.jsView on unpkg · L2
lib/chunk-bvr1k5jp.jsView file
71L72: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}gk.exports=yk});var ok=P((rk)=>{var sk=V("os"),yA=V("path"),lk=sk.tmpdir(),OV=p... L73:
High
Shell

Package source references shell execution.

lib/chunk-bvr1k5jp.jsView on unpkg · L71
3loaded from: `+H+` L4: `);function D(x){var B=WD(pA.join(x,"prebuilds")).map(h5),C=B.filter(M5(PD,ZD)).sort(S5)[0];if(!C)return;var c=pA.join(x,"prebuilds",C.name),R=WD(c).map(K5),G=R.filter(k5(UD,E5)),h... L5: * mime-types ... L13: * MIT Licensed L14: */xG=RG.exports=k_;function k_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),this.stream.write(this.lastDraw)};k_.prototype.terminate=function(){if(this.clear){if(this.stream.clearLine)this.stream.clearLine(),this.stream.cursorTo(0)}else this.stream.writ... L16: `)}});var _L=P((vD)=>{Object.defineProperty(vD,"__esModule",{value:!0});function zi(H,T){for(var A in T)Object.defineProperty(H,A,{enumerable:!0,get:Object.getOwnPropertyDescriptor... L17: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-bvr1k5jp.jsView on unpkg · L3
1Cross-file remote execution chain: lib/chunk-bvr1k5jp.js spawns lib/chunk-wbz3bjbz.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{Y as bV,fa as nV,ga as HX,ha as TX,ia as AX,ja as LX,ka as _X,la as sC,na as IX,oa as rC,pa as EX}from"./chunk-krz2vj99.js";import{$a as sF,Va as rH,Wa as PH,Xa as CO,Ya as ... L3: loaded from: `+H+` L4: `);function D(x){var B=WD(pA.join(x,"prebuilds")).map(h5),C=B.filter(M5(PD,ZD)).sort(S5)[0];if(!C)return;var c=pA.join(x,"prebuilds",C.name),R=WD(c).map(K5),G=R.filter(k5(UD,E5)),h... L5: * mime-types ... L9: */var ME=O5(),pX=V("path").extname,Q5=/^\s*([^;\s]*)(?:;|\s|$)/,uX=/^text\//i;yX.charset=N5;yX.charsets={lookup:N5};yX.contentType=mX;yX.extension=jX;yX.extensions=Object.create(nu... L10: `;SH.DEFAULT_CONTENT_TYPE="application/octet-stream";SH.prototype.append=function(H,T,A){if(A=A||{},typeof A==="string")A={filename:A};var L=jD.prototype.append.bind(this);if(typeo... L11: * node-progress ... L13: * MIT Licensed L14: */xG=RG.exports=k_;function k_(H,T){if(this.stream=T.stream||process.stderr,typeof T=="number"){var A=T;T={},T.total=A}else{if(T=T||{},typeof H!="string")throw Error("format requir... L15: `),t…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-bvr1k5jp.jsView on unpkg · L1
lib/index.jsView file
278patternName = generic_password severity = medium line = 278 matchedText = \u2022 \...resc
Medium
Secret Pattern

Hardcoded password in lib/index.js

lib/index.jsView on unpkg · L278
251`),console.warn(Q5.valibot);break;case"effect":if(L9.effect)break;L9.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L252: `),console.warn(Q5.effect);break}if(J==="arktype")return E9(Z?.toJsonSchema?.());return E9(Z.toJSONSchema?.()??Z?.toJsonSchema?.())}catch(G){console.warn(G)}},E9=(Z)=>{if(!Z||typeo... L253:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L251
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-zmxzceeq.jsView file
path = lib/chunk-zmxzceeq.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-zmxzceeq.jsView on unpkg

Findings

1 Critical7 High7 Medium6 Low
CriticalProtestwarelib/chunk-dt4svk6m.js
HighChild Processlib/chunk-wbz3bjbz.js
HighShelllib/chunk-bvr1k5jp.js
HighSame File Env Network Executionlib/chunk-wbz3bjbz.js
HighCommand Output Exfiltrationlib/chunk-bvr1k5jp.js
HighCross File Remote Execution Contextlib/chunk-bvr1k5jp.js
HighObfuscated
HighOversized Source Filelib/chunk-zmxzceeq.js
MediumSecret Patternlib/chunk-dt4svk6m.js
MediumDynamic Requirelib/chunk-wbz3bjbz.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/index.js
LowEvallib/index.js
LowWeak Cryptolib/chunk-wbz3bjbz.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License