Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/cli.mjsView file
3import { createRequire } from "node:module";
L4: import { spawn } from "node:child_process";
L5: import process$1 from "node:process";
...
L14: import { createHash } from "node:crypto";
L15: import { createServer } from "node:http";
L16: //#region \0rolldown/runtime.js
...
L260: if ([
L261: "GITHUB_ACTIONS",
L262: "GITEA_ACTIONS",
...
L302: supportsColor = {
L303: stdout: createSupportsColor({ isTTY: tty.isatty(1) }),
L304: stderr: createSupportsColor({ isTTY: tty.isatty(2) })
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/cli.mjsView on unpkg · L348var __toCommonJS = (mod) => __hasOwnProp.call(mod, "module.exports") ? mod["module.exports"] : __copyProps(__defProp({}, "__esModule", { value: true }), mod);
L49: var __require = /* @__PURE__ */ createRequire(import.meta.url);
L50: //#endregion
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/cli.mjsView on unpkg · L4810350body = ast.body[0].expression.body.range;
L10351: if (ast.body[0].expression.body.type === "BlockStatement") return new Function(params, source.slice(body[0] + 1, body[1] - 1));
L10352: return new Function(params, "return " + source.slice(body[0], body[1]));
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/cli.mjsView on unpkg · L10350Findings
1 High4 Medium6 Low
HighObfuscated Payload Loaderdist/cli.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License