registry  /  querysub  /  0.496.0

querysub@0.496.0

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 335 file(s), 3.22 MB of source, external domains: 127.0.0.1, api.backblazeb2.com, api.cloudflare.com, api.github.com, api.postmarkapp.com, api.sendgrid.com, deb.nodesource.com, docs.fish.audio, github.com, notdevtools.com, openrouter.ai, unpkg.com, www.w3.org

Source & flagged code

8 flagged · loading source
src/-a-auth/ed25519.tsView file
31patternName = private_key_rsa severity = critical line = 31 matchedText = let keyP..."");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/-a-auth/ed25519.tsView on unpkg · L31
31patternName = private_key_rsa severity = critical line = 31 matchedText = let keyP..."");
Critical
Secret Pattern

RSA private key in src/-a-auth/ed25519.ts

src/-a-auth/ed25519.tsView on unpkg · L31
55patternName = private_key_rsa severity = critical line = 55 matchedText = return "...--";
Critical
Secret Pattern

RSA private key in src/-a-auth/ed25519.ts

src/-a-auth/ed25519.tsView on unpkg · L55
src/4-querysub/Querysub.tsView file
898let fnc = `(function ed25519(exports, require, module, __filename, __dirname, importDynamic) {${moduleContents}\n })`; L899: eval(fnc)(exports, require, module, "inlined", "inlined", require); L900:
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/4-querysub/Querysub.tsView on unpkg · L898
bin/movelogs.jsView file
5L6: require("typenode"); L7: require("../[redacted]");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/movelogs.jsView on unpkg · L5
src/deployManager/setupMachineMain.tsView file
26} L27: return os.homedir() + `/githubkey_${repoOwner}_${repoName}.json`; L28: } ... L30: async function verifyGitHubApiKey(apiKey: string): Promise<boolean> { L31: const response = await fetch("https://api.github.com/user", { L32: headers: { ... L62: try { L63: const cached = JSON.parse(fs.readFileSync(cacheFile, "utf8")); L64: if (cached.apiKey) { ... L76: // Need to get a new API key from user L77: console.log("\n🔑 GitHub API key required for private repository access"); L78: console.log("Opening GitHub token creation page...");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/deployManager/setupMachineMain.tsView on unpkg · L26
src/misc/lz4_wasm_nodejs_bg.wasmView file
path = src/misc/lz4_wasm_nodejs_bg.wasm kind = wasm_module sizeBytes = 65293 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

src/misc/lz4_wasm_nodejs_bg.wasmView on unpkg
src/deployManager/machine.shView file
path = src/deployManager/machine.sh kind = build_helper sizeBytes = 389 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/deployManager/machine.shView on unpkg

Findings

3 Critical8 Medium5 Low
CriticalCritical Secretsrc/-a-auth/ed25519.ts
CriticalSecret Patternsrc/-a-auth/ed25519.ts
CriticalSecret Patternsrc/-a-auth/ed25519.ts
MediumDynamic Requirebin/movelogs.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/deployManager/setupMachineMain.ts
MediumShips Wasm Modulesrc/misc/lz4_wasm_nodejs_bg.wasm
MediumShips Build Helpersrc/deployManager/machine.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvalsrc/4-querysub/Querysub.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings