registry  /  openfork  /  1.17.19

openfork@1.17.19

⚠ Under review

To install dependencies:

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 371 file(s), 2.60 MB of source, external domains: 127.0.0.1, accounts.x.ai, api.digitalocean.com, api.github.com, api.githubcopilot.com, api.openai.com, api.openfork.dev, api.releases.hashicorp.com, app.openfork.ai, auth.openai.com, auth.x.ai, chatgpt.com, cloud.digitalocean.com, community.chocolatey.org, company.ghe.com, console.openfork.dev, dev.openfork.dev, docs.github.com, download-cdn.jetbrains.com, example.com, formulae.brew.sh, github.com, gitlab.com, inference.do-ai.run, json-schema.org, mcp.exa.ai, models.dev, openfork.ai, openfork.dev, openfork.internal, opncd.ai, raw.githubusercontent.com, search.parallel.ai, social-cards.sst.dev, vercel.link, www.eclipse.org, www.googleapis.com

Source & flagged code

8 flagged · loading source
script/postinstall.mjsView file
2L3: import childProcess from "child_process" L4: import fs from "fs"
High
Child Process

Package source references child process execution.

script/postinstall.mjsView on unpkg · L2
58L59: for (const executable of ["powershell.exe", "pwsh.exe", "pwsh", "powershell"]) { L60: try {
High
Shell

Package source references shell execution.

script/postinstall.mjsView on unpkg · L58
script/time.tsView file
4const toDynamicallyImport = path.join(process.cwd(), process.argv[2]) L5: await import(toDynamicallyImport) L6: console.log(performance.now())
Medium
Dynamic Require

Package source references dynamic require/import behavior.

script/time.tsView on unpkg · L4
src/lsp/server.tsView file
1import type { ChildProcessWithoutNullStreams } from "child_process" L2: import path from "path" ... L22: const run = (cmd: string[], opts: Process.RunOptions = {}) => Process.run(cmd, { ...opts, nothrow: true }) L23: const output = (cmd: string[], opts: Process.RunOptions = {}) => Process.text(cmd, { ...opts, nothrow: true }) L24: ... L117: root: NearestRoot( L118: ["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"], L119: ["deno.json", "deno.jsonc"], ... L129: env: { L130: ...process.env, L131: }, ... L182: if (flags.disableLspDownload) return
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

src/lsp/server.tsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = openfork@1.17.14 matchedIdentity = npm:b3BlbmZvcms:1.17.14 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/lsp/server.tsView on unpkg
1import type { ChildProcessWithoutNullStreams } from "child_process" L2: import path from "path" ... L22: const run = (cmd: string[], opts: Process.RunOptions = {}) => Process.run(cmd, { ...opts, nothrow: true }) L23: const output = (cmd: string[], opts: Process.RunOptions = {}) => Process.text(cmd, { ...opts, nothrow: true }) L24: ... L117: root: NearestRoot( L118: ["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"], L119: ["deno.json", "deno.jsonc"], ... L129: env: { L130: ...process.env, L131: }, ... L182: if (flags.disableLspDownload) return
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/lsp/server.tsView on unpkg · L1
test/server/auth.test.tsView file
47patternName = generic_password severity = medium line = 47 matchedText = expect(S...al({
Medium
Secret Pattern

Hardcoded password in test/server/auth.test.ts

test/server/auth.test.tsView on unpkg · L47
test/server/httpapi-listen.test.tsView file
18patternName = generic_password severity = medium line = 18 matchedText = const au...t" }
Medium
Secret Pattern

Hardcoded password in test/server/httpapi-listen.test.ts

test/server/httpapi-listen.test.tsView on unpkg · L18

Findings

2 Critical3 High6 Medium5 Low
CriticalCommand Output Exfiltrationsrc/lsp/server.ts
CriticalPrevious Version Dangerous Deltasrc/lsp/server.ts
HighChild Processscript/postinstall.mjs
HighShellscript/postinstall.mjs
HighSandbox Evasion Gated Capabilitysrc/lsp/server.ts
MediumDynamic Requirescript/time.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/server/auth.test.ts
MediumSecret Patterntest/server/httpapi-listen.test.ts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings