Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/run-M4XXNPGD.jsView file
24import path from "path";
L25: import { spawn } from "child_process";
L26: function winQuote(token) {
...
L29: var defaultExec = (cmd, args, opts) => new Promise((resolve, reject) => {
L30: const child = process.platform === "win32" ? spawn([cmd, ...args].map(winQuote).join(" "), {
L31: cwd: opts.cwd,
...
L91: });
L92: if (clack.isCancel(choice)) throw new CliError("", { exitCode: 1, code: "E_CANCELLED" });
L93: const lock2 = lockfile.installs.find((i) => i.dir === choice);
...
L101: try {
L102: const pkg = JSON.parse(fs.readFileSync(path.join(cwd, "package.json"), "utf8"));
L103: const pm = pkg.packageManager?.split("@")[0];
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/run-M4XXNPGD.jsView on unpkg · L24•matchType = previous_version_dangerous_delta
matchedPackage = runcastle@0.1.0
matchedIdentity = npm:cnVuY2FzdGxl:0.1.0
similarity = 0.650
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/run-M4XXNPGD.jsView on unpkgFindings
2 High2 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/run-M4XXNPGD.js
HighPrevious Version Dangerous Deltadist/run-M4XXNPGD.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings