registry  /  pushy-server  /  2026.7.5-48b7993f

pushy-server@2026.7.5-48b7993f

⚠ Under review

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 17 file(s), 4.28 MB of source, external domains: accounts.google.com, api.nodemailer.com, cdn.jsdelivr.net, cresc.dev, ely.sia, ethereal.email, github.com, jimmy.warting.se, jira.mariadb.org, json-schema.org, mail.google.com, mths.be, nodemailer.com, openapi.alipay.com, pris.ly, pushy.reactnative.cn, registry.npmjs.org, s.io, sts.aliyuncs.com, www.apple.com, www.prisma.io, www.w3.org
Oversized source lightweight scan
lib/chunk-wpxk81hk.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

12 flagged · loading source
lib/chunk-ay15an5e.jsView file
7patternName = generic_password severity = medium line = 7 matchedText = `),typeo...ion.
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/chunk-ay15an5e.jsView on unpkg · L7
lib/chunk-nv1c3xeq.jsView file
1// @bun L2: import{spawnSync as k}from"child_process";import{accessSync as j,constants as M,existsSync as l,readdirSync as A,readFileSync as E,writeFileSync as y}from"fs";import m from"os";imp... L3:
High
Child Process

Package source references child process execution.

lib/chunk-nv1c3xeq.jsView on unpkg · L1
lib/chunk-b9fredyc.jsView file
24L25: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}zG.exports=FG});var vG=F((yG)=>{var jG=g("os"),MA=g("path"),fG=jG.tmpdir(),TN=p... L26: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Shell

Package source references shell execution.

lib/chunk-b9fredyc.jsView on unpkg · L24
11`,hD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=JL(E)+_+JL(I)+kD}if(T.section&&L.length)L="["+JL(T.section)+"]"+kD+L;for(let E of A){let I=x0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],["v","\v"],["0","\x00"],["\\","\\"],["e","\x1B"],["a","\x07"]]);function kS(H){let T=H[0]==="u",A=H[1]==="{";if(T&&!A&&H.length===5||... L17: `);if(E!==-1)T=$J(T,_,L,E);return L+T+_},WD,xS=(H,...T)=>{let[A]=T;if(!nE(A)||!nE(A.raw))return T.join(" ");let L=T.slice(1),_=[A.raw[0]];for(let E=1;E<A.length;E++)_.push(String(L... L18: GFS4: `),console.error(H)};if(!WH[sH]){if(uD=global[sH]||[],_G(WH,uD),WH.close=function(H){function T(A,L){return H.call(WH,A,function(_){if(!_)LG();if(typeof L==="function")L.appl... ... L24: L25: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}zG.exports=FG});var vG=F((yG)=>{var jG=g("os"),MA=g("path"),fG=jG.tmpdir(),TN=p... L26: `,aabOpenApksFailed:"Failed to open ge
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/chunk-b9fredyc.jsView on unpkg · L11
11`,hD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=JL(E)+_+JL(I)+kD}if(T.section&&L.length)L="["+JL(T.section)+"]"+kD+L;for(let E of A){let I=x0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L15: `,_)}while(L!==-1);return E+=H.substr(_),E};RS.exports={stringReplaceAll:RJ,stringEncaseCRLFWithFirstIndex:CJ}});var KS=F((Pw,hS)=>{var SJ=/(?:\\(u(?:[a-f\d]{4}|\{[a-f\d]{1,6}\})|x... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],["v","\v"],["0","\x00"],["\\","\\"],["e","\x1B"],["a","\x07"]]);function kS(H){let T=H[0]==="u",A=H[1]==="{";if(T&&!A&&H.length===5||... L17: `);if(E!==-1)T=$J(T,_,L,E);return L+T+_},WD,xS=(H,...T)=>{let[A]=T;if(!nE(A)||!nE(A.raw))return T.join(" ");let L=T.slice(1),_=[A.raw[0]];for(let E=1;E<A.length;E++)_.push(String(L... L18: GFS4: `),console.error(H)};if(!WH[sH]){if(uD=global[sH]||[],_G(WH,uD),WH.close=function(H){function T(A,L){return H.call(WH,A,function(_){if(!_)LG();if(typeof L==="function")L.appl... ... L24: L25: `);return L.split(",")}switch(H){case"
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-b9fredyc.jsView on unpkg · L11
1Cross-file remote execution chain: lib/chunk-b9fredyc.js spawns lib/chunk-8qx9a08j.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{$ as dc,I as KN,R as MN,S as yc,T as vc,U as uc,V as gc,W as bc,X as uR,Z as mc,_ as mR}from"./chunk-h7qfeewy.js";import{$a as gR,Na as uH,Xa as Oc,Ya as pc,ha as j9,na as Z... L3: loaded from: `+H+` L4: `);function C(R){var S=m9(kA.join(R,"prebuilds")).map(I8),G=S.filter(D8(g9,u9)).sort(B8)[0];if(!G)return;var D=kA.join(R,"prebuilds",G.name),B=m9(D).map(R8),k=B.filter(C8(v9,tR)),h... L5: ... L11: `,hD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=JL(E)+_+JL(I)+kD}if(T.section&&L.length)L="["+JL(T.section)+"]"+kD+L;for(let E of A){let I=x0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L15: `,_)}while(L!==-1);return E+=H.substr(_),E};RS.exports={stringReplaceAll:RJ,stringEncaseCRLFWithFirstIndex:CJ}});var KS=F((Pw,hS)=>{var SJ=/(?:\\(u(?:[a-f\d]{4}|\{[a-f\d]{1,6}\})|x... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-b9fredyc.jsView on unpkg · L1
59@#[line:`+H.lineNumber+",col:"+H.columnNumber+"]"}function GK(H,T,A){if(typeof H=="string")return H.substr(T,A);else{if(H.length>=T+A||T)return new java.lang.String(H,T,A)+"";retur... L60: `,$.offset=(z=N.offset)!=null?z:0,$.width=(X=N.width)!=null?X:0,$.dontPrettyTextNodes=(K=(M=N.dontPrettyTextNodes)!=null?M:N.dontprettytextnodes)!=null?K:0,$.spaceBeforeSlash=(U=(V... L61: `+A.join(`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-b9fredyc.jsView on unpkg · L59
lib/index.jsView file
274`),console.warn($G.valibot);break;case"effect":if(n4.effect)break;n4.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L275: `),console.warn($G.effect);break}if(G==="arktype")return x4($?.toJsonSchema?.());return x4($.toJSONSchema?.()??$?.toJsonSchema?.())}catch(w){console.warn(w)}},x4=($)=>{if(!$||typeo... L276:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L274
3causes have become circular...`;let G=zX($);if(G)return q.add($),Y+` L4: caused by: `+nW(G,q);else return Y},MM=($)=>nW($,new Set),xW=($,q,Y)=>{if(!dq($))return"";let G=Y?"":$.message||"";if(q.has($))return G+": ...";let w=zX($);if(w){q.add($);let X=typ... L5: ${J}`,E=`, ... L21: ${v}${o} L22: ${J}`;return T.pop(),`{${o}}`}case"number":return isFinite(z)?String(z):q?q(z):"null";case"boolean":return z===!0?"true":"false";case"undefined":return;case"bigint":if(G)return Str... L23: `:` ... L25: Supported algorithms are: L26: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,Qq="secret must be a string or buffer",Gq="key must be a str... L27: * mime-types ... L42: `);if(I.push(f,J,z),typeof J.size==="number")Z+=f.byteLength+J.size+z.byteLength;else T=!0}let c=nw.encode(`--${j}--\r L43: `);if(I.push(c),Z+=c.byteLength,T)Z=null;X=$,w=async function*(){for(let v of I)if(v.stream)yield*v.stream();else yield v},K=`multipart/form-data; boundary=${j}`}else if(U8.is.Blob... L44: `).map((G)=>G.trim()).filter((G)=>G!==""&&!G.startsWith("#"));while(Y.length>0)q.push(UF(Y));if(q.length===0)throw Error("PEM: no block");return
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/index.jsView on unpkg · L3
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-wpxk81hk.jsView file
path = lib/chunk-wpxk81hk.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-wpxk81hk.jsView on unpkg
lib/chunk-8qx9a08j.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pushy-server@2026.7.4-3330c756 matchedIdentity = npm:cHVzaHktc2VydmVy:2026.7.4-3330c756 similarity = 0.765 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/chunk-8qx9a08j.jsView on unpkg

Findings

1 Critical7 High7 Medium6 Low
CriticalPrevious Version Dangerous Deltalib/chunk-8qx9a08j.js
HighChild Processlib/chunk-nv1c3xeq.js
HighShelllib/chunk-b9fredyc.js
HighSame File Env Network Executionlib/chunk-b9fredyc.js
HighCommand Output Exfiltrationlib/chunk-b9fredyc.js
HighCross File Remote Execution Contextlib/chunk-b9fredyc.js
HighObfuscated
HighOversized Source Filelib/chunk-wpxk81hk.js
MediumSecret Patternlib/chunk-ay15an5e.js
MediumDynamic Requirelib/chunk-b9fredyc.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
LowEvallib/index.js
LowWeak Cryptolib/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License