registry  /  nucleus-core-ts  /  0.9.714

nucleus-core-ts@0.9.714

Production-ready, enterprise-grade TypeScript framework for building multi-tenant APIs

Static Scan Results

scanned 17h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 326 file(s), 3.71 MB of source, external domains: admin.yourapp.com, api.openweathermap.org, api.yourapp.com, cdn.jsdelivr.net, discord.com, github.com, json-schema.org, opensource.org, ossrdbms-aad.database.windows.net, provider.com, redis.azure.com, twitter.com, unpkg.com, www.googleapis.com, www.w3.org, yourapp.com

Source & flagged code

5 flagged · loading source
infra/scripts/generate-project.tsView file
13import { createInterface } from 'readline/promises' L14: import { spawnSync } from 'child_process' L15:
High
Child Process

Package source references child process execution.

infra/scripts/generate-project.tsView on unpkg · L13
675logStep(`[API] bun install`) L676: const installBe = spawnSync('bun', ['install'], { cwd: beDir, stdio: ['pipe', 'pipe', 'pipe'] }) L677: if (installBe.status === 0) { L678: logSuccess('bun install completed') L679: } else {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

infra/scripts/generate-project.tsView on unpkg · L675
bin/cli.tsView file
79case 'new': { L80: const { scaffold } = await import(join(rootDir, 'infra', 'scripts', 'generate-project.ts')) L81: const infraDir = join(rootDir, 'infra')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.tsView on unpkg · L79
dist/index.jsView file
5this file except in compliance with the License. You may obtain a copy of the L6: License at http://www.apache.org/licenses/LICENSE-2.0 L7: ... L14: and limitations under the License. L15: ***************************************************************************** */var Reflect2;(function(Reflect3){(function(factory){var root=typeof globalThis==="object"?globalThis... L16: `).slice(1);for(let line of lines){let match=line.match(/at\s+(?:(.+?)\s+)?\(?(.+?):(\d+):(\d+)\)?/);if(!match)continue;let[,fnName,filePath,lineNum]=match,fileName=filePath?filePa... L17: `).slice(1,4);for(let stackLine of stackLines)method(` ${dim}${stackLine.trim()}${reset}`)}}}getConsoleMethod(level){switch(level){case"debug":return console.debug.bind(console);c... L18: <defs> ... L31: ${overlayLines} L32: </svg>`}function generatePuzzleChallenge(difficulty){let pieceCount=DIFFICULTY_CONFIG[difficulty].puzzlePieces,pieces=[],correctOrder=[];for(let i=0;i<pieceCount;i++)pieces.push({i... L33: `)&&privateKey.includes("\\n"))privateKey=privateKey.replace(/\\n/g,` ... L100: return {1, count + 1}
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L5
5this file except in compliance with the License. You may obtain a copy of the L6: License at http://www.apache.org/licenses/LICENSE-2.0 L7: ... L14: and limitations under the License. L15: ***************************************************************************** */var Reflect2;(function(Reflect3){(function(factory){var root=typeof globalThis==="object"?globalThis... L16: `).slice(1);for(let line of lines){let match=line.match(/at\s+(?:(.+?)\s+)?\(?(.+?):(\d+):(\d+)\)?/);if(!match)continue;let[,fnName,filePath,lineNum]=match,fileName=filePath?filePa... L17: `).slice(1,4);for(let stackLine of stackLines)method(` ${dim}${stackLine.trim()}${reset}`)}}}getConsoleMethod(level){switch(level){case"debug":return console.debug.bind(console);c... L18: <defs> ... L31: ${overlayLines} L32: </svg>`}function generatePuzzleChallenge(difficulty){let pieceCount=DIFFICULTY_CONFIG[difficulty].puzzlePieces,pieces=[],correctOrder=[];for(let i=0;i<pieceCount;i++)pieces.push({i... L33: `)&&privateKey.includes("\\n"))privateKey=privateKey.replace(/\\n/g,` ... L100: return {1, count + 1}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L5

Findings

4 High5 Medium7 Low
HighChild Processinfra/scripts/generate-project.ts
HighShell
HighObfuscated Payload Loaderdist/index.js
HighRuntime Package Installinfra/scripts/generate-project.ts
MediumDynamic Requirebin/cli.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License