registry  /  madarx  /  2.63.3

madarx@2.63.3

⚠ Under review

Madarx OS — Next.js product with SQLite-backed runtime, scheduled cron daemon, and approval-gated local runners.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,194 file(s), 8.70 MB of source, external domains: 127.0.0.1, a.klaviyo.com, accounts.google.com, analyticsdata.googleapis.com, api-inference.huggingface.co, api.agentmail.to, api.amadeus.com, api.anthropic.com, api.arcads.ai, api.aviationstack.com, api.coingecko.com, api.company-information.service.gov.uk, api.creatify.ai, api.deepseek.com, api.dev.runwayml.com, api.elevenlabs.io, api.firecrawl.dev, api.fireworks.ai, api.flair.ai, api.github.com, api.groq.com, api.hautech.ai, api.hedra.com, api.heygen.com, api.hubapi.com, api.ideogram.ai, api.klingai.com, api.ltx.studio, api.magnific.ai, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.omnisend.com, api.openai.com, api.openmagic.ai, api.opensanctions.org, api.osv.dev, api.piccopilot.com, api.pika.art, api.rendernet.ai, api.replicate.com, api.resend.com, api.sakana.ai, api.search.brave.com, api.slack.com, api.supabase.com, api.telegram.org, api.together.xyz, api.vercel.com, api.viggle.ai

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node --no-warnings scripts/postinstall-splash.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node --no-warnings scripts/postinstall-splash.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
app/api/fs/pick-folder/route.jsView file
1import { spawn } from 'node:child_process'; L2: import os from 'node:os';
High
Child Process

Package source references child process execution.

app/api/fs/pick-folder/route.jsView on unpkg · L1
scripts/google-oauth-mint.mjsView file
20L21: import http from 'node:http'; L22: import { spawn } from 'node:child_process'; L23: import { randomBytes } from 'node:crypto'; ... L33: L34: let CLIENT_ID = arg('client-id') || process.env.GOOGLE_OAUTH_CLIENT_ID || process.env.GOOGLE_CLIENT_ID; L35: let CLIENT_SECRET = arg('client-secret') || process.env.GOOGLE_OAUTH_CLIENT_SECRET || process.env.GOOGLE_CLIENT_SECRET; ... L55: 'https://accounts.google.com/o/oauth2/v2/auth?' + L56: new URLSearchParams({ L57: client_id: CLIENT_ID, ... L68: function openBrowser(url) { L69: const cmd = process.platform === 'darwin' ? 'open'
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

scripts/google-oauth-mint.mjsView on unpkg · L20
20L21: import http from 'node:http'; L22: import { spawn } from 'node:child_process'; L23: import { randomBytes } from 'node:crypto'; ... L33: L34: let CLIENT_ID = arg('client-id') || process.env.GOOGLE_OAUTH_CLIENT_ID || process.env.GOOGLE_CLIENT_ID; L35: let CLIENT_SECRET = arg('client-secret') || process.env.GOOGLE_OAUTH_CLIENT_SECRET || process.env.GOOGLE_CLIENT_SECRET;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/google-oauth-mint.mjsView on unpkg · L20
20L21: import http from 'node:http'; L22: import { spawn } from 'node:child_process'; L23: import { randomBytes } from 'node:crypto'; ... L33: L34: let CLIENT_ID = arg('client-id') || process.env.GOOGLE_OAUTH_CLIENT_ID || process.env.GOOGLE_CLIENT_ID; L35: let CLIENT_SECRET = arg('client-secret') || process.env.GOOGLE_OAUTH_CLIENT_SECRET || process.env.GOOGLE_CLIENT_SECRET; ... L55: 'https://accounts.google.com/o/oauth2/v2/auth?' + L56: new URLSearchParams({ L57: client_id: CLIENT_ID, ... L68: function openBrowser(url) { L69: const cmd = process.platform === 'darwin' ? 'open'
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/google-oauth-mint.mjsView on unpkg · L20
lib/artifact-format.jsView file
9contains invisible/control Unicode U+200D (zero width joiner) const ZERO_WIDTH_JOINER = /<U+200D>/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

lib/artifact-format.jsView on unpkg · L9
.next/standalone/scripts/hermes-command.pyView file
path = .next/standalone/scripts/hermes-command.py kind = payload_in_excluded_dir sizeBytes = 5803 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/standalone/scripts/hermes-command.pyView on unpkg
path = .next/standalone/scripts/hermes-command.py kind = build_helper sizeBytes = 5803 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.next/standalone/scripts/hermes-command.pyView on unpkg
.next/standalone/.next/static/media/99dcf268bda04fe5-s.woff2View file
path = .next/standalone/.[redacted]-s.woff2 kind = high_entropy_blob sizeBytes = 8848 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/standalone/.next/static/media/99dcf268bda04fe5-s.woff2View on unpkg

Findings

2 Critical7 High6 Medium5 Low
CriticalCommand Output Exfiltrationscripts/google-oauth-mint.mjs
CriticalTrojan Source Unicodelib/artifact-format.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processapp/api/fs/pick-folder/route.js
HighShell
HighSame File Env Network Executionscripts/google-oauth-mint.mjs
HighSandbox Evasion Gated Capabilityscripts/google-oauth-mint.mjs
HighShips High Entropy Blob.next/standalone/.next/static/media/99dcf268bda04fe5-s.woff2
HighPayload In Excluded Dir.next/standalone/scripts/hermes-command.py
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.next/standalone/scripts/hermes-command.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings