Static Scan Results
scanned 1d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postInstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgpostInstall.jsView file
4const https = require('https')
L5: const child_process = require('child_process')
L6:
High
83function installUsingNPM() {
L84: // Erase "npm[redacted]" so that "npm install --global" works.
L85: // Otherwise this nested "npm install" will also be global, and the install
...
L96: // Run npm install in the temporary directory
L97: child_process.execSync(
L98: `npm install --loglevel=error --prefer-offline --no-audit --progress=false ${platformSpecificPackageName}@${BINARY_DISTRIBUTION_VERSION}`,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
postInstall.jsView on unpkg · L831const fs = require('fs')
L2: const path = require('path')
Medium
Dynamic Require
Package source references dynamic require/import behavior.
postInstall.jsView on unpkg · L1Findings
3 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild ProcesspostInstall.js
HighRuntime Package InstallpostInstall.js
MediumDynamic RequirepostInstall.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings