Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
3 flagged · loading sourcedist/delegate.jsView file
2import { existsSync } from "fs";
L3: import { spawnSync } from "child_process";
L4: import { join } from "path";
High
dist/install.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = gabion@0.1.18
matchedIdentity = npm:Z2FiaW9u:0.1.18
similarity = 0.700
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/install.jsView on unpkg158approveRuntimeScripts(RUNTIME_DIR);
L159: const npmResult = spawnSync("npm", ["install", "--omit=dev", "--no-fund", "--no-audit"], {
L160: cwd: RUNTIME_DIR,
...
L163: if (npm[redacted] !== 0) {
L164: return fail("npm install in runtime failed");
L165: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/install.jsView on unpkg · L158Findings
1 Critical3 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/install.js
HighChild Processdist/delegate.js
HighShell
HighRuntime Package Installdist/install.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings