registry  /  extension  /  4.0.3

extension@4.0.3

Create cross-browser extensions with no build configuration.

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 4 file(s), 645 KB of source, external domains: example.com, github.com, us.i.posthog.com, www.extension.dev

Source & flagged code

4 flagged · loading source
bin/extension.cjsView file
20try { L21: const {spawnSync} = require('child_process') L22: const tsxCli = require.resolve('tsx/cli')
High
Child Process

Package source references child process execution.

bin/extension.cjsView on unpkg · L20
6Cross-file remote execution chain: bin/extension.cjs spawns dist/cli.cjs; helper contains network access plus dynamic code execution. L6: L7: const distCjsEntry = path.resolve(__dirname, '../dist/cli.cjs') L8: const distEntry = path.resolve(__dirname, '../dist/cli.js') ... L20: try { L21: const {spawnSync} = require('child_process') L22: const tsxCli = require.resolve('tsx/cli')
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/extension.cjsView on unpkg · L6
3L4: const fs = require('fs') L5: const path = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/extension.cjsView on unpkg · L3
dist/cli.cjsView file
24function readUpdateSuffixOnce() { L25: const suffix = process.env.EXTENSION_CLI_UPDATE_SUFFIX; L26: if (!suffix) return null; ... L41: try { L42: return JSON.parse(external_fs_.readFileSync(readyPath, 'utf-8')); L43: } catch { ... L78: const absolute = external_path_.resolve(extensionPath); L79: const isWindows = 'win32' === process.platform; L80: const seedBuffer = isWindows ? Buffer.from(absolute.replace(/\//g, '\\'), 'utf16le') : Buffer.from(absolute, 'utf8'); ... L132: const message = { L133: data: { L134: id: extensionId,
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/cli.cjsView on unpkg · L24

Findings

3 High5 Medium5 Low
HighChild Processbin/extension.cjs
HighCredential Exfiltrationdist/cli.cjs
HighCross File Remote Execution Contextbin/extension.cjs
MediumDynamic Requirebin/extension.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings