registry  /  infra-kit  /  0.3.0

infra-kit@0.3.0

infra-kit

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 18 file(s), 268 KB of source, external domains: 127.0.0.1, acme.atlassian.net, cli.github.com, cmux.com, cursor.com, dashboard.doppler.com, docs.aws.amazon.com, docs.doppler.com, github.com, registry.npmjs.org, your-domain.atlassian.net, zed.dev

Source & flagged code

4 flagged · loading source
dist/chunk-E2SEBLGJ.jsView file
1import{a as P}from"./chunk-6FU2TRU5.js";import{m as f,q as x}from"./chunk-CHETBZ6M.js";import c from"node:path";var m="infra-kit",g=`${m}@latest`,S=(t,e,n)=>{let r=c.relative(n(c.r... L2: //# sourceMappingURL=chunk-E2SEBLGJ.js.map
High
Child Process

Package source references child process execution.

dist/chunk-E2SEBLGJ.jsView on unpkg · L1
dist/dev-server.jsView file
7`),n(),e(_e(s));return}i=s,(async()=>{try{await t(s)}catch(a){Or(s,a)}finally{e(_e(s))}})()};for(let s of Tr)r(s,()=>o(s))};var _r=(t,e)=>t.map(({app:r,targets:n})=>`pnpm exec infr... L8: Received ${e}, closing cmux dev workspace ${t}...`),await De(t)}})},We=async t=>{let e=$(Ur.cwd()),r=Mr(e,F(t.include));if(r.length===0){T.warn("No API apps found to run");return}l... L9: ${e.stack??"(no stack)"}`:String(e);return` ... L11: dev-server kept alive (likely a bug in a handler's async path); restart if it misbehaves. L12: `},Br=(t,e)=>{Hr(Z(t,e))},Gr=(t,e)=>{je.on(t,e)},He=({onFault:t=Br,register:e=Gr}={})=>{let r=n=>i=>{t(n,i)};e("uncaughtException",r("uncaughtException")),e("unhandledRejection",r(... L13: `)?r:`${r} ... L17: `);y=C.pop()??"";for(let R of C)R!==""&&t.write(a(),R,{level:g});y.length>8192&&P();let E=A.find(R=>typeof R=="function");return typeof E=="function"&&te.nextTick(E),!0}),()=>{P(),... L18: `)})}serverConfig;importCacheBust;logger;server;controllers={};registeredRouteKeys=new Set;getRegisteredRoutes(){return[...this.registeredRouteKeys].sort()}async start(){this.regis... L19: `);r=o.pop()??"";for(let s of o)n(s);r.length>Et&&(n(r),r="")}),t.on("end",()=>{r!=="
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/dev-server.jsView on unpkg · L7
17`);y=C.pop()??"";for(let R of C)R!==""&&t.write(a(),R,{level:g});y.length>8192&&P();let E=A.find(R=>typeof R=="function");return typeof E=="function"&&te.nextTick(E),!0}),()=>{P(),... L18: `)})}serverConfig;importCacheBust;logger;server;controllers={};registeredRouteKeys=new Set;getRegisteredRoutes(){return[...this.registeredRouteKeys].sort()}async start(){this.regis... L19: `);r=o.pop()??"";for(let s of o)n(s);r.length>Et&&(n(r),r="")}),t.on("end",()=>{r!==""&&(n(r),r="")}),t.on("error",i=>{e.appendLog?.(`[infra-kit] ui dev stream error: ${i.message}
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/dev-server.jsView on unpkg · L17
dist/chunk-CHETBZ6M.jsView file
1import T from"node:crypto";import r from"node:fs";import F from"node:os";import n from"node:path";import A from"node:process";var V="env-load.sh",a="env-clear.sh",p="projects",O=72... L2: `)){if(!_){let c=I.exec(s);c&&o.push(c[1])}_=L(s,_)}return o},R=()=>{let t=A.env.XDG_CACHE_HOME,e=t&&t.length>0?t:n.join(F.homedir(),".cache");return n.join(e,"infra-kit")},f=()=>{... L3: //# sourceMappingURL=chunk-CHETBZ6M.js.map
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-CHETBZ6M.jsView on unpkg · L1

Findings

2 High4 Medium6 Low
HighChild Processdist/chunk-E2SEBLGJ.js
HighCommand Output Exfiltrationdist/dev-server.js
MediumDynamic Requiredist/dev-server.js
MediumNetwork
MediumInstall Persistencedist/chunk-CHETBZ6M.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License
infra-kit@0.3.0: Suspicious npm security report (Warn) | LPM Firewall