Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
4 flagged · loading sourcedist/vite-internals-6HS7FULY.cjsView file
32//#endregion
L33: let node_child_process = require("node:child_process");
L34: let node_fs = require("node:fs");
High
Child Process
Package source references child process execution.
dist/vite-internals-6HS7FULY.cjsView on unpkg · L32dist/vite.mjsView file
6* license: MIT
L7: * repository.url: https://github.com/kekyo/muon-ui.git
L8: * git.commit.hash: [redacted]
...
L16: import __screwUpDefaultImportModule0 from "adm-zip";
L17: import { spawn } from "node:child_process";
L18: import * as __screwUpDefaultImportModule0$1 from "sharp";
...
L214: if (i < 0 || i >= l) return TO_STRING ? "" : void 0;
L215: a = s.charCodeAt(i);
L216: return a < 55296 || a > 56319 || i + 1 === l || (b = s.charCodeAt(i + 1)) < 56320 || b > 57343 ? TO_STRING ? s.charAt(i) : a : TO_STRING ? s.slice(i, i + 2) : (a - 55296 << 10) + (...
...
L1744: const writeRaw = (chunk) => {
L1745: process.stderr.write(chunk);
L1746: };
Low
dist/cli.cjsView file
7Cross-file remote execution chain: dist/cli.cjs spawns dist/vite-internals-6HS7FULY.cjs; helper contains network access plus dynamic code execution.
L7: * license: MIT
L8: * repository.url: https://github.com/kekyo/muon-ui.git
L9: * git.commit.hash: [redacted]
...
L12: let commander = require("commander");
L13: let node_child_process = require("node:child_process");
L14: let node_fs = require("node:fs");
...
L21: var import_dist = require_vite_internals.require_dist();
L22: var muonRecycleExitCode = 88;
L23: var defaultProjectConfigFileNames = [
...
L90: };
L91: const previous = process.env[require_vite_internals.[redacted]];
L92: process.env[require_vite_internals.[redacted]] = "1";
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.cjsView on unpkg · L7dist/native/linux-armhf/muon-builderView file
•path = dist/native/linux-armhf/muon-builder
kind = native_binary
sizeBytes = 1030284
magicHex = [redacted]
Medium
Ships Native Binary
Package ships native binary artifacts.
dist/native/linux-armhf/muon-builderView on unpkgFindings
3 High3 Medium4 Low
HighChild Processdist/vite-internals-6HS7FULY.cjs
HighShell
HighCross File Remote Execution Contextdist/cli.cjs
MediumEnvironment Vars
MediumShips Native Binarydist/native/linux-armhf/muon-builder
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/vite.mjs
LowFilesystem
LowHigh Entropy Strings