registry  /  mastracode  /  0.28.0

mastracode@0.28.0

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 30 file(s), 2.43 MB of source, external domains: 127.0.0.1, api.githubcopilot.com, api.groq.com, api.individual.githubcopilot.com, api.moonshot.ai, api.openai.com, api.scaleway.ai, auth.openai.com, chatgpt.com, claude.ai, cloud-api.near.ai, console.anthropic.com, dashscope-intl.aliyuncs.com, dashscope.aliyuncs.com, gateway-api.mastra.ai, github.com, integrate.api.nvidia.com, mastra.ai, mcp.example.com, models.dev, models.think.evroc.com, registry.npmjs.org, unpkg.com, us.posthog.com

Source & flagged code

10 flagged · loading source
dist/chunk-NCX7DSJ7.cjsView file
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var crypto = require('crypto');
High
Child Process

Package source references child process execution.

dist/chunk-NCX7DSJ7.cjsView on unpkg · L5
2539var VALID_MODES = /* @__PURE__ */ new Set(["default", "path", "login"]); L2540: var VALID_FAMILIES = /* @__PURE__ */ new Set(["posix", "cmd", "powershell"]); L2541: var POWERSHELL_BASENAMES = /* @__PURE__ */ new Set(["pwsh", "pwsh.exe", "powershell", "powershell.exe"]);
High
Shell

Package source references shell execution.

dist/chunk-NCX7DSJ7.cjsView on unpkg · L2539
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var crypto = require('crypto'); ... L477: /** L478: * Private constructor — use static factories or the options constructor. L479: */ ... L781: const box = this.makeBox(); L782: box.addChild(new piTui.Text(chunkT5FGP3US_cjs.theme.bold(chunkT5FGP3US_cjs.theme.fg("accent", "\u{1F44B} Welcome to Mastra Code")), 0, 0)); L783: box.addChild(new piTui.Spacer(1)); ... L866: box.addChild( L867: new piTui.Text(chunkT5FGP3US_cjs.theme.fg("dim", "See https://mastra.ai/models for supported providers and API key env vars."), 0, 0) L868: );
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-NCX7DSJ7.cjsView on unpkg · L5
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var crypto = require('crypto'); ... L2945: // `name`/`options` are typed for OpenAI's own ids, but the underlying client L2946: // accepts any model string + baseURL — both are passed through verbatim. L2947: listeningModel: { ... L10831: }); L10832: const buffer = fs2.readFileSync(tmpFile); L10833: if (!Buffer.isBuffer(buffer) || buffer.length === 0) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/chunk-NCX7DSJ7.cjsView on unpkg · L5
5var chunkJHYTJMKT_cjs = require('./chunk-JHYTJMKT.cjs'); L6: var child_process = require('child_process'); L7: var crypto = require('crypto'); ... L477: /** L478: * Private constructor — use static factories or the options constructor. L479: */ ... L781: const box = this.makeBox(); L782: box.addChild(new piTui.Text(chunkT5FGP3US_cjs.theme.bold(chunkT5FGP3US_cjs.theme.fg("accent", "\u{1F44B} Welcome to Mastra Code")), 0, 0)); L783: box.addChild(new piTui.Spacer(1)); ... L866: box.addChild( L867: new piTui.Text(chunkT5FGP3US_cjs.theme.fg("dim", "See https://mastra.ai/models for supported providers and API key env vars."), 0, 0) L868: );
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-NCX7DSJ7.cjsView on unpkg · L5
dist/headless.cjsView file
2L3: var chunkPOOGOLWK_cjs = require('./chunk-POOGOLWK.cjs'); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/headless.cjsView on unpkg · L2
dist/chunk-QK7PXNAX.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mastracode@0.27.0 matchedIdentity = npm:bWFzdHJhY29kZQ:0.27.0 similarity = 0.828 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-QK7PXNAX.jsView on unpkg
CHANGELOG.mdView file
332patternName = private_key_rsa severity = critical line = 332 matchedText = GITHUB_A...---"
Critical
Secret Pattern

RSA private key in CHANGELOG.md

CHANGELOG.mdView on unpkg · L332
560patternName = private_key_rsa severity = critical line = 560 matchedText = GITHUB_A...---"
Critical
Secret Pattern

RSA private key in CHANGELOG.md

CHANGELOG.mdView on unpkg · L560
README.mdView file
300patternName = private_key_rsa severity = critical line = 300 matchedText = export G...---"
Critical
Secret Pattern

RSA private key in README.md

README.mdView on unpkg · L300

Findings

3 Critical5 High5 Medium5 Low
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternREADME.md
HighChild Processdist/chunk-NCX7DSJ7.cjs
HighShelldist/chunk-NCX7DSJ7.cjs
HighSandbox Evasion Gated Capabilitydist/chunk-NCX7DSJ7.cjs
HighRemote Agent Bridgedist/chunk-NCX7DSJ7.cjs
HighPrevious Version Dangerous Deltadist/chunk-QK7PXNAX.js
MediumDynamic Requiredist/headless.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-NCX7DSJ7.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings