registry  /  mastracode  /  0.26.0

mastracode@0.26.0

⚠ Under review

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 2.11 MB of source, external domains: 127.0.0.1, api.githubcopilot.com, api.individual.githubcopilot.com, api.moonshot.ai, api.openai.com, auth.openai.com, chatgpt.com, claude.ai, console.anthropic.com, gateway-api.mastra.ai, github.com, mastra.ai, mcp.example.com, registry.npmjs.org, unpkg.com, us.posthog.com

Source & flagged code

6 flagged · loading source
dist/chunk-BULVNQ2P.cjsView file
4var path2 = require('path'); L5: var child_process = require('child_process'); L6: var crypto$1 = require('crypto');
High
Child Process

Package source references child process execution.

dist/chunk-BULVNQ2P.cjsView on unpkg · L4
dist/chunk-NUKVNLFS.cjsView file
2534var VALID_MODES = /* @__PURE__ */ new Set(["default", "path", "login"]); L2535: var VALID_FAMILIES = /* @__PURE__ */ new Set(["posix", "cmd", "powershell"]); L2536: var POWERSHELL_BASENAMES = /* @__PURE__ */ new Set(["pwsh", "pwsh.exe", "powershell", "powershell.exe"]);
High
Shell

Package source references shell execution.

dist/chunk-NUKVNLFS.cjsView on unpkg · L2534
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var piTui = require('@earendil-works/pi-tui'); ... L473: /** L474: * Private constructor — use static factories or the options constructor. L475: */ ... L777: const box = this.makeBox(); L778: box.addChild(new piTui.Text(chunkKGBCGF6C_cjs.theme.bold(chunkKGBCGF6C_cjs.theme.fg("accent", "\u{1F44B} Welcome to Mastra Code")), 0, 0)); L779: box.addChild(new piTui.Spacer(1)); ... L862: box.addChild( L863: new piTui.Text(chunkKGBCGF6C_cjs.theme.fg("dim", "See https://mastra.ai/models for supported providers and API key env vars."), 0, 0) L864: );
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-NUKVNLFS.cjsView on unpkg · L5
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var piTui = require('@earendil-works/pi-tui'); ... L10356: }); L10357: const buffer = fs2.readFileSync(tmpFile); L10358: if (!Buffer.isBuffer(buffer) || buffer.length === 0) { ... L14342: const settings = chunkKGBCGF6C_cjs.loadSettings(); L14343: const effectiveUrl = settings.memoryGateway?.baseUrl ?? process.env["MASTRA_GATEWAY_URL"] ?? chunkKGBCGF6C_cjs.MEMORY_GATEWAY_DEFAULT_URL; L14344: if (currentKey) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/chunk-NUKVNLFS.cjsView on unpkg · L5
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var piTui = require('@earendil-works/pi-tui'); ... L473: /** L474: * Private constructor — use static factories or the options constructor. L475: */ ... L777: const box = this.makeBox(); L778: box.addChild(new piTui.Text(chunkKGBCGF6C_cjs.theme.bold(chunkKGBCGF6C_cjs.theme.fg("accent", "\u{1F44B} Welcome to Mastra Code")), 0, 0)); L779: box.addChild(new piTui.Spacer(1)); ... L862: box.addChild( L863: new piTui.Text(chunkKGBCGF6C_cjs.theme.fg("dim", "See https://mastra.ai/models for supported providers and API key env vars."), 0, 0) L864: );
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-NUKVNLFS.cjsView on unpkg · L5
dist/chunk-Z3HFSXTB.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = mastracode@0.27.0 matchedIdentity = npm:bWFzdHJhY29kZQ:0.27.0 similarity = 0.560 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/chunk-Z3HFSXTB.cjsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/chunk-Z3HFSXTB.cjs
HighChild Processdist/chunk-BULVNQ2P.cjs
HighShelldist/chunk-NUKVNLFS.cjs
HighSandbox Evasion Gated Capabilitydist/chunk-NUKVNLFS.cjs
HighRemote Agent Bridgedist/chunk-NUKVNLFS.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-NUKVNLFS.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings