Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/prepare-node-pty.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/dotnet/ManagedMetadataHeaps.jsView file
24readUInt16() {
L25: this.require(2);
L26: const value = this.bytes.readUInt16LE(this.#offset);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/dotnet/ManagedMetadataHeaps.jsView on unpkg · L2481try {
L82: return new TextDecoder("utf-8", { fatal: true }).decode(bytes.subarray(start, end));
L83: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/dotnet/ManagedMetadataHeaps.jsView on unpkg · L81bridge/hopper_bridge.pyView file
•path = bridge/hopper_bridge.py
kind = build_helper
sizeBytes = 38096
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
bridge/hopper_bridge.pyView on unpkgFindings
1 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/dotnet/ManagedMetadataHeaps.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbridge/hopper_bridge.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/dotnet/ManagedMetadataHeaps.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings