Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/fix-node-pty.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/go.jsView file
69try {
L70: const { exec } = await Promise.resolve().then(() => __importStar(require("node:child_process")));
L71: const open = process.platform === "darwin"
High
75: "xdg-open";
L76: exec(`${open} ${JSON.stringify(pairUrl)}`);
L77: }
...
L85: await sleep(2000);
L86: process.stdout.write(`${DIM}.${RESET}`);
L87: try {
L88: const poll = await fetch(`${opts.server}/api/pair/${code}`);
L89: if (!poll.ok)
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/go.jsView on unpkg · L75Findings
3 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/go.js
HighCommand Output Exfiltrationdist/go.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings