Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/delegate.jsView file
2import { existsSync } from "fs";
L3: import { spawnSync } from "child_process";
L4: import { join } from "path";
High
dist/install.jsView file
158approveRuntimeScripts(RUNTIME_DIR);
L159: const npmResult = spawnSync("npm", ["install", "--omit=dev"], {
L160: cwd: RUNTIME_DIR,
...
L163: if (npm[redacted] !== 0) {
L164: return fail("npm install in runtime failed");
L165: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/install.jsView on unpkg · L158Findings
4 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/delegate.js
HighShell
HighRuntime Package Installdist/install.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings