registry  /  run402  /  3.7.3

run402@3.7.3

⚠ Under review

CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 139 file(s), 1.45 MB of source, external domains: 127.0.0.1, api.github.com, api.run402.com, app.run402.com, docs.run402.com, eagles.kychon.com, example.com, hooks.example.com, my-receiver.example.com, myapp.run402.com, new.example.com, rpc.moderato.tempo.xyz, run402.com, token.actions.githubusercontent.com

Source & flagged code

4 flagged · loading source
sdk/dist/scoped.jsView file
matchType = previous_version_dangerous_delta matchedPackage = run402@3.7.0 matchedIdentity = npm:cnVuNDAy:3.7.0 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

sdk/dist/scoped.jsView on unpkg
90} L91: fork(opts) { L92: return this.parent.apps.fork(opts);
High
Child Process

Package source references child process execution.

sdk/dist/scoped.jsView on unpkg · L90
sdk/dist/node/_paid-stack.jsView file
57const c = new LoadCollector(); L58: const accounts = await c.load("viem", () => import("viem/accounts")); L59: const viemMod = await c.load("viem", () => import("viem"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

sdk/dist/node/_paid-stack.jsView on unpkg · L57
lib/dev.mjsView file
109// Astro's normal output. L110: const child = spawn("npx", ["astro", "dev", "--port", port, "--host", host], { L111: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/dev.mjsView on unpkg · L109

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasdk/dist/scoped.js
HighChild Processsdk/dist/scoped.js
HighShell
HighRuntime Package Installlib/dev.mjs
MediumDynamic Requiresdk/dist/node/_paid-stack.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings