registry  /  polygrad  /  0.4.0

polygrad@0.4.0

Tensor computation library with native and WASM backends

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscated
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 4.48 MB of source

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.install = node scripts/install-native.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/polygrad.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...A+=`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/polygrad.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...A+=`
Critical
Secret Pattern

AWS access key ID in dist/polygrad.js

dist/polygrad.jsView on unpkg · L1
2`));if(!A)return null;Ag=ig(A,!0)}return Ag.shift()},ZA={ttys:[],init(){},shutdown(){},register(A,Q){ZA.ttys[A]={input:[],output:[],ops:Q},i.registerDevice(A,ZA.stream_ops)},stream... L3: `+h),0}let FA=a.nextPipelineId++;return a.pipelines.set(FA,{pipeline:EA,bindGroupLayout:$,entry:H,wgsl:h}),a.pipelineKeyToId.set(j,FA),k>=7&&console.log(`[polygrad:webgpu:pipeline]...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/polygrad.jsView on unpkg · L2
scripts/install-native.jsView file
10L11: const { execSync } = require('child_process') L12:
High
Child Process

Package source references child process execution.

scripts/install-native.jsView on unpkg · L10
scripts/prepack.jsView file
4Cross-file remote execution chain: scripts/prepack.js spawns dist/polygrad.js; helper contains network access plus dynamic code execution. L4: const path = require('path') L5: const { spawnSync } = require('child_process') L6: L7: const scriptsDir = __dirname L8: const pkgDir = path.resolve(scriptsDir, '..') ... L14: stdio: 'inherit', L15: env: { ...process.env, ...extraEnv } L16: })
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/prepack.jsView on unpkg · L4
binding.gypView file
path = binding.gyp kind = build_helper sizeBytes = 2834 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

binding.gypView on unpkg
dist/polygrad.mjsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...A+=`
Critical
Secret Pattern

AWS access key ID in dist/polygrad.mjs

dist/polygrad.mjsView on unpkg · L1
wasm/polygrad.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = var crea...t})}
Critical
Secret Pattern

AWS access key ID in wasm/polygrad.js

wasm/polygrad.jsView on unpkg · L1

Findings

4 Critical4 High4 Medium5 Low
CriticalCritical Secretdist/polygrad.js
CriticalSecret Patterndist/polygrad.js
CriticalSecret Patterndist/polygrad.mjs
CriticalSecret Patternwasm/polygrad.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/install-native.js
HighShell
HighCross File Remote Execution Contextscripts/prepack.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/polygrad.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings