registry  /  pkg-sentinel  /  0.1.1

pkg-sentinel@0.1.1

Production-quality npm supply-chain security CLI — trust analysis, health scoring, install script inspection, typosquatting detection, and AI-powered risk summaries.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 416 KB of source, external domains: api.github.com, api.npmjs.org, github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
559const buffer = Buffer.from(arrayBuffer); L560: const { Readable } = await import('stream'); L561: const tar = await import('tar');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L559
1899name = "obfuscation"; L1900: description = "Detects eval(), dynamic code execution, obfuscated code, and high-entropy strings"; L1901: getVisitors(ctx) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L1899
dist/index.cjsView file
53})(AnalysisStatus || {}); L54: var ExitCode = /* @__PURE__ */ ((ExitCode2) => { L55: ExitCode2[ExitCode2["Success"] = 0] = "Success"; ... L143: const patterns = [ L144: // https://github.com/owner/repo L145: /github\.com\/([^/]+)\/([^/\s#?.]+)/, ... L331: packageVersion: context.packageVersion, L332: npmData: context.npmMetadata, L333: githubData: context.githubData, ... L406: if (contentType.includes("application/json")) { L407: data = await response.json(); L408: } else {
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.cjsView on unpkg · L53
53})(AnalysisStatus || {}); L54: var ExitCode = /* @__PURE__ */ ((ExitCode2) => { L55: ExitCode2[ExitCode2["Success"] = 0] = "Success"; ... L143: const patterns = [ L144: // https://github.com/owner/repo L145: /github\.com\/([^/]+)\/([^/\s#?.]+)/, ... L331: packageVersion: context.packageVersion, L332: npmData: context.npmMetadata, L333: githubData: context.githubData, ... L406: if (contentType.includes("application/json")) { L407: data = await response.json(); L408: } else {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.cjsView on unpkg · L53

Findings

1 High5 Medium6 Low
HighObfuscated Payload Loaderdist/index.cjs
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.cjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings