registry  /  pushy-server  /  2026.7.4-3330c756

pushy-server@2026.7.4-3330c756

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 17 file(s), 4.28 MB of source, external domains: accounts.google.com, api.nodemailer.com, cdn.jsdelivr.net, cresc.dev, ely.sia, ethereal.email, github.com, jimmy.warting.se, jira.mariadb.org, json-schema.org, mail.google.com, mths.be, nodemailer.com, openapi.alipay.com, pris.ly, pushy.reactnative.cn, registry.npmjs.org, s.io, sts.aliyuncs.com, www.apple.com, www.prisma.io, www.w3.org
Oversized source lightweight scan
lib/chunk-zhnn89b2.js4.61 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

11 flagged · loading source
lib/chunk-htrw9ag2.jsView file
7patternName = generic_password severity = medium line = 7 matchedText = `),typeo...ion.
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/chunk-htrw9ag2.jsView on unpkg · L7
lib/chunk-3dx02kkv.jsView file
176`+Z.prev+Z.base;return J+S2.call(X,","+J)+` L177: `+Z.prev}function sQ(X,Z){var J=Zq(X),Y=[];if(J){Y.length=X.length;for(var W=0;W<X.length;W++)Y[W]=O9(X,W)?Z(X[W],X):""}var $=typeof sD==="function"?sD(X):[],Q;if(aX){Q={};for(var ... L178: * statuses
High
Child Process

Package source references child process execution.

lib/chunk-3dx02kkv.jsView on unpkg · L176
169*/var gw1=/["'&<>]/;gT.exports=kw1;function kw1(X){var Z=""+X,J=gw1.exec(Z);if(!J)return Z;var Y,W="",$=0,Q=0;for($=J.index;$<Z.length;$++){switch(Z.charCodeAt($)){case 34:Y="&quot... L170: * is-extendable <https://github.com/jonschlinkert/is-extendable> L171: * ... L176: `+Z.prev+Z.base;return J+S2.call(X,","+J)+` L177: `+Z.prev}function sQ(X,Z){var J=Zq(X),Y=[];if(J){Y.length=X.length;for(var W=0;W<X.length;W++)Y[W]=O9(X,W)?Z(X[W],X):""}var $=typeof sD==="function"?sD(X):[],Q;if(aX){Q={};for(var ... L178: * statuses
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/chunk-3dx02kkv.jsView on unpkg · L169
lib/chunk-mgxfs41z.jsView file
24L25: `);return L.split(",")}switch(H){case"hoist-pattern":case"public-hoist-pattern":return A(T)}return T}zG.exports=FG});var vG=F((yG)=>{var jG=g("os"),MA=g("path"),fG=jG.tmpdir(),TN=p... L26: `,aabOpenApksFailed:"Failed to open generated .apks file",aabReadUniversalApkFailed:"Failed to read universal.apk",aabUniversalApkNotFound:"universal.apk not found in generated .ap...
High
Shell

Package source references shell execution.

lib/chunk-mgxfs41z.jsView on unpkg · L24
11`,hD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=JL(E)+_+JL(I)+kD}if(T.section&&L.length)L="["+JL(T.section)+"]"+kD+L;for(let E of A){let I=x0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L15: `,_)}while(L!==-1);return E+=H.substr(_),E};RS.exports={stringReplaceAll:RJ,stringEncaseCRLFWithFirstIndex:CJ}});var KS=F((Pw,hS)=>{var SJ=/(?:\\(u(?:[a-f\d]{4}|\{[a-f\d]{1,6}\})|x... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],["v","\v"],["0","\x00"],["\\","\\"],["e","\x1B"],["a","\x07"]]);function kS(H){let T=H[0]==="u",A=H[1]==="{";if(T&&!A&&H.length===5||... L17: `);if(E!==-1)T=$J(T,_,L,E);return L+T+_},WD,xS=(H,...T)=>{let[A]=T;if(!nE(A)||!nE(A.raw))return T.join(" ");let L=T.slice(1),_=[A.raw[0]];for(let E=1;E<A.length;E++)_.push(String(L... L18: GFS4: `),console.error(H)};if(!WH[sH]){if(uD=global[sH]||[],_G(WH,uD),WH.close=function(H){function T(A,L){return H.call(WH,A,function(_){if(!_)LG();if(typeof L==="function")L.appl... ... L24: L25: `);return L.split(",")}switch(H){case"
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/chunk-mgxfs41z.jsView on unpkg · L11
1Cross-file remote execution chain: lib/chunk-mgxfs41z.js spawns lib/chunk-3dx02kkv.js; helper contains network access plus dynamic code execution. L1: // @bun L2: import{H as KN,Q as MN,R as yc,S as vc,T as uc,U as gc,V as bc,W as uR,Y as mc,Z as mR,_ as dc}from"./chunk-n3v7vwz9.js";import{Ga as uH,Qa as Oc,Ra as pc,Ua as gR,ga as j9,la as Z... L3: loaded from: `+H+` L4: `);function C(R){var S=m9(kA.join(R,"prebuilds")).map(I8),G=S.filter(D8(g9,u9)).sort(B8)[0];if(!G)return;var D=kA.join(R,"prebuilds",G.name),B=m9(D).map(R8),k=B.filter(C8(v9,tR)),h... L5: ... L11: `,hD=(H,T)=>{let A=[],L="";if(typeof T==="string")T={section:T,whitespace:!1};else T=T||Object.create(null),T.whitespace=T.whitespace===!0;let _=T.whitespace?" = ":"=";for(let E of... L12: `;else if(I&&typeof I==="object")A.push(E);else L+=JL(E)+_+JL(I)+kD}if(T.section&&L.length)L="["+JL(T.section)+"]"+kD+L;for(let E of A){let I=x0(E).join("\\."),C=(T.section?T.secti... L13: `:` ... L15: `,_)}while(L!==-1);return E+=H.substr(_),E};RS.exports={stringReplaceAll:RJ,stringEncaseCRLFWithFirstIndex:CJ}});var KS=F((Pw,hS)=>{var SJ=/(?:\\(u(?:[a-f\d]{4}|\{[a-f\d]{1,6}\})|x... L16: `],["r","\r"],["t","\t"],["b","\b"],["f","\f"],…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/chunk-mgxfs41z.jsView on unpkg · L1
lib/index.jsView file
274`),console.warn(eY.valibot);break;case"effect":if(n4.effect)break;n4.effect=!0,console.warn("[@elysiajs/openapi] Effect Schema doesn't provide JSON Schema method on the schema"),co... L275: `),console.warn(eY.effect);break}if(G==="arktype")return x4($?.toJsonSchema?.());return x4($.toJSONSchema?.()??$?.toJsonSchema?.())}catch(w){console.warn(w)}},x4=($)=>{if(!$||typeo... L276:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/index.jsView on unpkg · L274
3causes have become circular...`;let G=WX($);if(G)return q.add($),Y+` L4: caused by: `+uW(G,q);else return Y},_M=($)=>uW($,new Set),EW=($,q,Y)=>{if(!L5($))return"";let G=Y?"":$.message||"";if(q.has($))return G+": ...";let w=WX($);if(w){q.add($);let X=typ... L5: ${J}`,E=`, ... L21: ${_}${o} L22: ${J}`;return T.pop(),`{${o}}`}case"number":return isFinite(z)?String(z):q?q(z):"null";case"boolean":return z===!0?"true":"false";case"undefined":return;case"bigint":if(G)return Str... L23: `:` ... L25: Supported algorithms are: L26: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".`,s5="secret must be a string or buffer",Y5="key must be a str... L27: * mime-types ... L42: `);if(I.push(f,J,z),typeof J.size==="number")Z+=f.byteLength+J.size+z.byteLength;else T=!0}let c=Ew.encode(`--${j}--\r L43: `);if(I.push(c),Z+=c.byteLength,T)Z=null;X=$,w=async function*(){for(let _ of I)if(_.stream)yield*_.stream();else yield _},K=`multipart/form-data; boundary=${j}`}else if(U8.is.Blob... L44: `).map((G)=>G.trim()).filter((G)=>G!==""&&!G.startsWith("#"));while(Y.length>0)q.push(iF(Y));if(q.length===0)throw Error("PEM: no block");return
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/index.jsView on unpkg · L3
lib/chunk-4mv2wem4.jsView file
1// @bun L2: import{fb as $0}from"./chunk-ay5scfsk.js";import{gb as Y0}from"./chunk-ac193nks.js";/*! ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> */var $1=... L3: `,"\r","\t"," ","\x00"].some((J)=>this.checkString(J,{offset:6})))return{ext:"vtt",mime:"text/vtt"};if(this.check([137,80,78,71,13,10,26,10]))return z1(G);if(this.check([65,82,82,7...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/chunk-4mv2wem4.jsView on unpkg · L1
lib/node-hdiffpatch-q8ah3hfz.nodeView file
path = lib/node-hdiffpatch-q8ah3hfz.node kind = native_binary sizeBytes = 463096 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-hdiffpatch-q8ah3hfz.nodeView on unpkg
lib/chunk-zhnn89b2.jsView file
path = lib/chunk-zhnn89b2.js kind = oversized_source_file sizeBytes = 4837698 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

lib/chunk-zhnn89b2.jsView on unpkg

Findings

7 High7 Medium6 Low
HighChild Processlib/chunk-3dx02kkv.js
HighShelllib/chunk-mgxfs41z.js
HighSame File Env Network Executionlib/chunk-3dx02kkv.js
HighCommand Output Exfiltrationlib/chunk-mgxfs41z.js
HighCross File Remote Execution Contextlib/chunk-mgxfs41z.js
HighObfuscated
HighOversized Source Filelib/chunk-zhnn89b2.js
MediumSecret Patternlib/chunk-htrw9ag2.js
MediumDynamic Requirelib/chunk-4mv2wem4.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarylib/node-hdiffpatch-q8ah3hfz.node
MediumStructural Risk Force Deep Review
LowEvallib/index.js
LowWeak Cryptolib/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License