Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVars
Source & flagged code
4 flagged · loading sourcebin/dev-tracker.jsView file
1#!/usr/bin/env node
L2: const { spawn } = require('child_process');
L3: const path = require('path');
High
9L10: const child = spawn('npx', ['next', 'start', '-p', port], {
L11: cwd: packageDir,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/dev-tracker.jsView on unpkg · L9.next/static/media/fe62e8d0a3cf5f1e-s.36_reagd89li4.woff2View file
•path = .[redacted]-s.36_reagd89li4.woff2
kind = high_entropy_blob
sizeBytes = 7148
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
.next/static/media/fe62e8d0a3cf5f1e-s.36_reagd89li4.woff2View on unpkg.next/dev/cache/turbopack/v16.2.10/00000015.sstView file
•path = .next/dev/cache/turbopack/v16.2.10/00000015.sst
kind = payload_in_excluded_dir
sizeBytes = 1049233
magicHex = [redacted]
High
Payload In Excluded Dir
Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.next/dev/cache/turbopack/v16.2.10/00000015.sstView on unpkgFindings
4 High2 Medium2 Low
HighChild Processbin/dev-tracker.js
HighRuntime Package Installbin/dev-tracker.js
HighShips High Entropy Blob.next/static/media/fe62e8d0a3cf5f1e-s.36_reagd89li4.woff2
HighPayload In Excluded Dir.next/dev/cache/turbopack/v16.2.10/00000015.sst
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present