registry  /  nekostream  /  2026.2.8

nekostream@2026.2.8

⚠ Under review

Bettter version of NekoStream

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 38 file(s), 414 KB of source, external domains: anime47.best, animehay.ink, animehay01.site, animevietsub.bz, animevietsub.fan, animevietsub.love, animevietsub.site, animevietsub.tv, api.jikan.moe, discord.gg, graphql.anilist.co, media.anilist.co, registry.npmjs.org, s4.anilist.co, www.npmjs.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = playwright install chromium
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = playwright install chromium
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
40const path_1 = __importDefault(require("path")); L41: const child_process_1 = require("child_process"); L42: const prompts_wrapper_1 = __importDefault(require("./prompts-wrapper"));
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L40
591if (update) { L592: const installCommand = `npm i -g ${NPM_PACKAGE_NAME}@latest`; L593: const spinner = (0, ora_1.default)(`Đang cập nhật (${installCommand})...`).start(); L594: try { L595: (0, child_process_1.execSync)(installCommand, { stdio: 'ignore' }); L596: spinner.succeed(chalk_1.default.green('Đã cập nhật thành công! Vui lòng chạy lại lệnh để sử dụng bản mới.'));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L591
dist/player.jsView file
matchType = previous_version_dangerous_delta matchedPackage = nekostream@2026.1.4 matchedIdentity = npm:bmVrb3N0cmVhbQ:2026.1.4 similarity = 0.680 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/player.jsView on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/player.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighRuntime Package Installdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License