registry  /  pushy-server  /  2026.7.2-00386b2c

pushy-server@2026.7.2-00386b2c

⚠ Under review

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 17 file(s), 4.30 MB of source, external domains: accounts.google.com, api.nodemailer.com, cdn.jsdelivr.net, cresc.dev, ely.sia, ethereal.email, github.com, jimmy.warting.se, jira.mariadb.org, json-schema.org, mail.google.com, mths.be, nodemailer.com, openapi.alipay.com, pris.ly, pushy.reactnative.cn, registry.npmjs.org, s.io, sts.aliyuncs.com, www.apple.com, www.prisma.io, www.w3.org
Oversized source lightweight scan
lib/chunk-jt57bn5n.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

12 flagged · loading source
lib/chunk-1k18b79a.jsView file
20`).concat(`\r L21: `)}function _W($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===fX&&J){let Y=T8($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L22: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}createSocket($,Z,X){let Q={...Z,secureEndpoint:this.isSecureEndpoint(Z)};Promise.resolve().then(()=>this.c...
Critical
Protestware

Package source matches protestware-related patterns.

lib/chunk-1k18b79a.jsView on unpkg · L20
20`).concat(`\r L21: `)}function _W($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===fX&&J){let Y=T8($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L22: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}createSocket($,Z,X){let Q={...Z,secureEndpoint:this.isSecureEndpoint(Z)};Promise.resolve().then(()=>this.c...
High
Child Process

Package source references child process execution.

lib/chunk-1k18b79a.jsView on unpkg · L20
6${JSON.stringify(W)} L7: `),typeof K==="string"||K instanceof Uint8Array)J(K);else{let z;try{z=JSON.stringify(K)}catch{z=JSON.stringify(o$(K))}J(z)}}return typeof Q==="string"?Q:FT(Q)}function FT($){let Z=... L8: Event: ${f1($)}`),!0;if(Vh($))return q&&j.warn(`Event dropped due to not having an error message, error type or stacktrace. ... L17: Error:`,J)}}var D5=new Set([]);function q5($){let X=YJ("console",$);return EZ("console",_h),X}function FH($){for(let Z of $)D5.add(Z);return()=>{for(let Z of $)D5.delete(Z)}}functi... L18: Reason: ${B}`)})}_process($,Z){this._numProcessing++,this._promiseBuffer.add($).then((X)=>{return this._numProcessing--,X},(X)=>{if(this._numProcessing--,X===yZ)this.recordDroppedE... L19: `),X=[];for(let Q of Z)try{let J=Q.indexOf(":");if(J===-1)continue;let Y=Q.slice(0,J).trim(),W=Q.slice(J+1).trim();if(Y)X.push(Y,W)}catch{j.warn(`Failed to convert string request h... L20: `).concat(`\r L21: `)}function _W($,Z){let X=-1;for(let Q=0;Q<$.length;Q+=2){if($[Q]!==Z)continue;if(X===-1){X=Q;continue}let J=$[X+1];if(Z===fX&&J){let Y=T8($[Q+1],J);if(Y)$[X+1]=Y}$.splice(Q,2),Q-=... L22: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}c
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/chunk-1k18b79a.jsView on unpkg · L6
7patternName = generic_password severity = medium line = 7 matchedText = `),typeo...ion.
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/chunk-1k18b79a.jsView on unpkg · L7
lib/chunk-jxrbzn80.jsView file
24L25: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}Zk.exports=Uk});var wk=F((zk)=>{var Xk=g("os"),KA=g("path"),Fk=Xk.tmpdir(),d2=p... L26: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Shell

Package source references shell execution.

lib/chunk-jxrbzn80.jsView on unpkg · L24
11`,kD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=xL(E)+_+xL(I)+SD}if(T.section&&L.length)L="["+xL(T.section)+"]"+SD+L;for(let E of A){let I=K0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L15: `,_)}while(L!==-1);return E+=H.substr(_),E};LS.exports={stringReplaceAll:ox,stringEncaseCRLFWithFirstIndex:tx}});var RS=F((Cw,BS)=>{var ex=/(?:\\(u(?:[a-f\d]{4}|\{[a-f\d]{1,6}\})|x... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],["v","\v"],["0","\x00"],["\\","\\"],["e","\x1B"],["a","\x07"]]);function DS(H){let T=H[0]==="u",A=H[1]==="{";if(T&&!A&&H.length===5||... L17: `);if(E!==-1)T=DJ(T,_,L,E);return L+T+_},OD,KS=(H,...T)=>{let[A]=T;if(!rE(A)||!rE(A.raw))return T.join(" ");let L=T.slice(1),_=[A.raw[0]];for(let E=1;E<A.length;E++)_.push(String(L... L18: GFS4: `),console.error(H)};if(!WH[nH]){if(yD=global[nH]||[],tS(WH,yD),WH.close=function(H){function T(A,L){return H.call(WH,A,function(_){if(!_)oS();if(typeof L==="function")L.appl... ... L24: L25: `);return L.split(",")}switch(H){case"
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-jxrbzn80.jsView on unpkg · L11
1Cross-file remote execution chain: lib/chunk-jxrbzn80.js spawns lib/chunk-1k18b79a.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{I as _N,K as Xc,L as Fc,M as zc,O as wc,P as uR,z as LN}from"./chunk-sg08acrx.js";import{Ea as Pc,Fa as Yc,Ia as fR,X as Y9,aa as cc,ba as $c,ua as vH}from"./chunk-3c2xpppq.... L3: loaded from: `+H+` L4: `);function C(R){var S=g9(kA.join(R,"prebuilds")).map(H8),k=S.filter(T8(v9,y9)).sort(A8)[0];if(!k)return;var D=kA.join(R,"prebuilds",k.name),B=g9(D).map(L8),G=B.filter(_8(f9,iR)),h... L5: ... L11: `,kD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=xL(E)+_+xL(I)+SD}if(T.section&&L.length)L="["+xL(T.section)+"]"+SD+L;for(let E of A){let I=K0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L15: `,_)}while(L!==-1);return E+=H.substr(_),E};LS.exports={stringReplaceAll:ox,stringEncaseCRLFWithFirstIndex:tx}});var RS=F((Cw,BS)=>{var ex=/(?:\\(u(?:[a-f\d]{4}|\{[a-f\d]{1,6}\})|x... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-jxrbzn80.jsView on unpkg · L1
lib/index.jsView file
274`),console.warn(eY.valibot);break;case"effect":if(n4.effect)break;n4.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L275: `),console.warn(eY.effect);break}if(w==="arktype")return E4($?.toJsonSchema?.());return E4($.toJSONSchema?.()??$?.toJsonSchema?.())}catch(G){console.warn(G)}},E4=($)=>{if(!$||typeo... L276:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L274
3causes have become circular...`;let w=Q9($);if(w)return q.add($),Y+` L4: caused by: `+fW(w,q);else return Y},qm=($)=>fW($,new Set),kW=($,q,Y)=>{if(!d5($))return"";let w=Y?"":$.message||"";if(q.has($))return w+": ...";let G=Q9($);if(G){q.add($);let X=typ... L5: ${I}`,n=`, ... L21: ${_}${o} L22: ${I}`;return T.pop(),`{${o}}`}case"number":return isFinite(H)?String(H):q?q(H):"null";case"boolean":return H===!0?"true":"false";case"undefined":return;case"bigint":if(w)return Str... L23: `:` ... L25: Supported algorithms are: L26: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,s5="secret must be a string or buffer",q5="key must be a str... L27: * mime-types ... L42: `);if(J.push(f,I,H),typeof I.size==="number")K+=f.byteLength+I.size+H.byteLength;else T=!0}let c=kG.encode(`--${j}--\r L43: `);if(J.push(c),K+=c.byteLength,T)K=null;X=$,G=async function*(){for(let _ of J)if(_.stream)yield*_.stream();else yield _},Z=`multipart/form-data; boundary=${j}`}else if(U8.is.Blob... L44: `).map((w)=>w.trim()).filter((w)=>w!==""&&!w.startsWith("#"));while(Y.length>0)q.push(xF(Y));if(q.length===0)throw Error("PEM: no block");return
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/index.jsView on unpkg · L3
lib/chunk-3c2xpppq.jsView file
10\v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F !"#\xA5%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_\`abcdefghijklmnopqrstuvwxyz{|}\u2... L11: \v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\xA5]^_\`abcdefghijklmnopqrstuvwxyz{|}\u20... L12: | 0 1 2 3 4 5 6 7 8 9 a b c d e f |
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-3c2xpppq.jsView on unpkg · L10
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-jt57bn5n.jsView file
path = lib/chunk-jt57bn5n.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-jt57bn5n.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalProtestwarelib/chunk-1k18b79a.js
HighChild Processlib/chunk-1k18b79a.js
HighShelllib/chunk-jxrbzn80.js
HighSame File Env Network Executionlib/chunk-1k18b79a.js
HighCommand Output Exfiltrationlib/chunk-jxrbzn80.js
HighCross File Remote Execution Contextlib/chunk-jxrbzn80.js
HighObfuscated
HighOversized Source Filelib/chunk-jt57bn5n.js
MediumSecret Patternlib/chunk-1k18b79a.js
MediumDynamic Requirelib/chunk-3c2xpppq.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
LowEvallib/index.js
LowWeak Cryptolib/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License