Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/cli/index.mjsView file
986const types = await client.schemaTypes();
L987: const { writeFile, mkdir } = await import("node:fs/promises");
L988: const { resolve: resolvePath, dirname } = await import("node:path");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/cli/index.mjsView on unpkg · L986dist/ssrf-TrKYJAy0.mjsView file
4*
L5: * Validates that URLs don't target internal/private network addresses.
L6: * Applied before any fetch() call in the import pipeline.
L7: */
...
L196: if (hasProperty(raw, "Answer") && Array.isArray(raw.Answer)) {
L197: for (const entry of raw.Answer) if (hasProperty(entry, "data") && typeof entry.data === "string") answers.push({ data: entry.data });
L198: }
...
L205: * Resolve a hostname via DNS over HTTPS (Cloudflare). Returns all A and AAAA
L206: * records. Works in both Workers and Node without requiring node:dns.
L207: *
...
L224: if (!response.ok) throw new Error(`DoH lookup failed: ${response.status}`);
L225: const body = parseDohResponse(await response.json());
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/ssrf-TrKYJAy0.mjsView on unpkg · L4dist/astro/index.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = kafecms@0.29.0
matchedIdentity = npm:a2FmZWNtcw:0.29.0
similarity = 0.933
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/astro/index.mjsView on unpkgFindings
2 High4 Medium4 Low
HighCloud Metadata Accessdist/ssrf-TrKYJAy0.mjs
HighPrevious Version Dangerous Deltadist/astro/index.mjs
MediumDynamic Requiredist/cli/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings