registry  /  pinokiod  /  7.5.32

pinokiod@7.5.32

⚠ Under review

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 26 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 714 file(s), 16.0 MB of source, external domains: 127.0.0.1, accounts.google.com, accounts.spotify.com, aka.ms, antigravity.google, api.github.com, api.spotify.com, api.twitter.com, api.x.com, cdn.jsdelivr.net, cdn.redoc.ly, cdnjs.cloudflare.com, claude.com, code.visualstudio.com, cursor.com, dep.debian.net, discord.gg, download.pytorch.org, fb.me, flag-gimn.ru, github.com, github.com.helper, github.com.provider, graph.microsoft.com, huggingface.co, java.sun.com, jshint.com, login.microsoftonline.com, msdn.microsoft.com, oauth2.googleapis.com, octopress.org, openai.com, pinokio.co, pinokio.localhost, pinokiocomputer.github.io, pqina.nl, raw.githubusercontent.com, reactjs.org, redoc.ly, redocly.com, redux.js.org, stackoverflow.com, sweetalert2.github.io, www.anthropic.com, www.apple.com, www.erlang.org, www.example.com, www.googleapis.com, www.pinokio.co, www.w3.org

Source & flagged code

16 flagged · loading source
server/public/redoc.standalone.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = !functio...>ma`
Medium
Secret Pattern

Package contains a possible secret pattern.

server/public/redoc.standalone.jsView on unpkg · L2
worker.jsView file
1const fs = require('fs'); L2: const deserialize = require('child_process').deserialize; L3: process.on('message', (message) => {
High
Child Process

Package source references child process execution.

worker.jsView on unpkg · L1
server/public/swagger-ui-bundle.jsView file
1/*! For license information please see swagger-ui-bundle.js.LICENSE.txt */ L2: !function [redacted](s,o){"object"==typeof exports&&"object"==typeof module?module.exports=o():"function"==typeof define&&define.amd?define([],o):"object"==ty...
Critical
Download Execute

Source downloads or fetches remote code and executes it.

server/public/swagger-ui-bundle.jsView on unpkg · L1
1/*! For license information please see swagger-ui-bundle.js.LICENSE.txt */ L2: !function [redacted](s,o){"object"==typeof exports&&"object"==typeof module?module.exports=o():"function"==typeof define&&define.amd?define([],o):"object"==ty...
High
Shell

Package source references shell execution.

server/public/swagger-ui-bundle.jsView on unpkg · L1
2patternName = generic_password severity = medium line = 2 matchedText = !functio...)));
Medium
Secret Pattern

Hardcoded password in server/public/swagger-ui-bundle.js

server/public/swagger-ui-bundle.jsView on unpkg · L2
server/index.jsView file
16473} else if (type === 'function') { L16474: val = new Function(arg) L16475: } else if (type === 'null') {
High
Eval

Package source references dynamic code evaluation.

server/index.jsView on unpkg · L16473
11Cross-file remote execution chain: server/index.js spawns server/public/task-launcher.js; helper contains network access plus dynamic code execution. L11: const { rimraf } = require('rimraf') L12: const { createHttpTerminator } = require('http-terminator') L13: const cookieParser = require('cookie-parser'); ... L20: const os = require('os') L21: const { fork, execFile } = require('child_process'); L22: const semver = require('semver') ... L68: const Kernel = require("../kernel") L69: const packagejson = require("../package.json") L70: const Environment = require("../kernel/environment") ... L198: this.workspaceStatus = new WorkspaceStatusManager({ L199: enableWatchers: process.env.PINOKIO_DISABLE_WATCH === '1' ? false : true, L200: fallbackIntervalMs: 60000,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

server/index.jsView on unpkg · L11
11Detached bundled service listener: server/index.js launches a Node helper and exposes a broad-bound HTTP listener. L11: const { rimraf } = require('rimraf') L12: const { createHttpTerminator } = require('http-terminator') L13: const cookieParser = require('cookie-parser'); ... L20: const os = require('os') L21: const { fork, execFile } = require('child_process'); L22: const semver = require('semver') ... L68: const Kernel = require("../kernel") L69: const packagejson = require("../package.json") L70: const Environment = require("../kernel/environment") ... L198: this.workspaceStatus = new WorkspaceStatusManager({ L199: enableWatchers: process.env.PINOKIO_DISABLE_WATCH === '1' ? false : true, L200: fallbackIntervalMs: 60000,
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

server/index.jsView on unpkg · L11
11const { rimraf } = require('rimraf') L12: const { createHttpTerminator } = require('http-terminator') L13: const cookieParser = require('cookie-parser'); ... L20: const os = require('os') L21: const { fork, execFile } = require('child_process'); L22: const semver = require('semver') ... L68: const Kernel = require("../kernel") L69: const packagejson = require("../package.json") L70: const Environment = require("../kernel/environment") ... L198: this.workspaceStatus = new WorkspaceStatusManager({ L199: enableWatchers: process.env.PINOKIO_DISABLE_WATCH === '1' ? false : true, L200: fallbackIntervalMs: 60000,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

server/index.jsView on unpkg · L11
pipe/index.jsView file
1const { createProxyMiddleware } = require('http-proxy-middleware'); L2: const { red, yellow, green, blue } = require('kleur');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

pipe/index.jsView on unpkg · L1
docker-entrypoint.shView file
path = docker-entrypoint.sh kind = build_helper sizeBytes = 2662 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

docker-entrypoint.shView on unpkg
server/public/chime.mp3View file
path = server/public/chime.mp3 kind = high_entropy_blob sizeBytes = 17901 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

server/public/chime.mp3View on unpkg
package.jsonView file
Runtime dependency names matching Node built-ins: https
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
test/git-defaults.test.jsView file
130patternName = generic_password severity = medium line = 130 matchedText = password...ken'
Medium
Secret Pattern

Hardcoded password in test/git-defaults.test.js

test/git-defaults.test.jsView on unpkg · L130
139patternName = generic_password severity = medium line = 139 matchedText = password...ken'
Medium
Secret Pattern

Hardcoded password in test/git-defaults.test.js

test/git-defaults.test.jsView on unpkg · L139
test/github-api.test.jsView file
105patternName = generic_password severity = medium line = 105 matchedText = api.getC...' })
Medium
Secret Pattern

Hardcoded password in test/github-api.test.js

test/github-api.test.jsView on unpkg · L105

Findings

1 Critical7 High11 Medium7 Low
CriticalDownload Executeserver/public/swagger-ui-bundle.js
HighChild Processworker.js
HighShellserver/public/swagger-ui-bundle.js
HighEvalserver/index.js
HighCross File Remote Execution Contextserver/index.js
HighSpawned Bundled Service Listenerserver/index.js
HighShips High Entropy Blobserver/public/chime.mp3
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternserver/public/redoc.standalone.js
MediumDynamic Requirepipe/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperdocker-entrypoint.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/git-defaults.test.js
MediumSecret Patterntest/git-defaults.test.js
MediumSecret Patterntest/github-api.test.js
MediumSecret Patternserver/public/swagger-ui-bundle.js
LowScripts Present
LowWeak Cryptoserver/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings