registry  /  startx  /  1.1.52

startx@1.1.52

⚠ Under review

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 1.21 MB of source, external domains: api.anthropic.com, api.cerebras.ai, api.groq.com, api.open-meteo.com, app.com, dotenvx.com, fonts.googleapis.com, fonts.gstatic.com, geocoding-api.open-meteo.com, github.com, json-schema.org

Source & flagged code

7 flagged · loading source
apps/cli/src/commands/common/hashing.tsView file
27patternName = generic_password severity = medium line = 27 matchedText = logger.i..."`);
Medium
Secret Pattern

Package contains a possible secret pattern.

apps/cli/src/commands/common/hashing.tsView on unpkg · L27
packages/aix/src/lib/convertor/variable-resolver.tsView file
129if (v.type === "fn") { L130: parsed = eval(`(function() { L131: return (function() {
Low
Eval

Package source references a known benign dynamic code generation pattern.

packages/aix/src/lib/convertor/variable-resolver.tsView on unpkg · L129
apps/startx-cli/dist/index.mjsView file
177contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

apps/startx-cli/dist/index.mjsView on unpkg · L177
Trigger-reachable chain: manifest.bin -> apps/startx-cli/dist/index.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

apps/startx-cli/dist/index.mjsView on unpkg
61`)[0]}\n`),Error.captureStackTrace(this,e)}};t.exports=e=>{if(e.length>2)throw new n(e);function t(e={}){this.options=e}t.prototype.transform=e;function r(e){return new t(e)}return... L62: `)!=-1,a=this._styles,s=a.length;s--;){var c=i[a[s]];e=c.open+e.replace(c.closeRe,c.open)+c.close,t&&(e=e.replace(o,function(e){return c.close+e+c.open}))}return e}n.setTheme=funct... L63: `));return!0}t.exports=(...e)=>{let t=n(r(e)),i=t();return i.Format=t.Format,i},t.exports.cascade=r})),vg=v(((e,t)=>{let{hasOwnProperty:n}=Object.prototype,r=_();r.configure=_,r.st...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

apps/startx-cli/dist/index.mjsView on unpkg · L61
packages/aix/src/tools/system/index.tsView file
233try { L234: contextValue = JSON.parse(contextValue); L235: } catch {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

packages/aix/src/tools/system/index.tsView on unpkg · L233
packages/ui/src/api/use-api/react-query/use-api.tsView file
matchType = previous_version_dangerous_delta matchedPackage = startx@1.1.5 matchedIdentity = npm:c3RhcnR4:1.1.5 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/ui/src/api/use-api/react-query/use-api.tsView on unpkg

Findings

3 Critical7 Medium5 Low
CriticalTrojan Source Unicodeapps/startx-cli/dist/index.mjs
CriticalTrigger Reachable Dangerous Capabilityapps/startx-cli/dist/index.mjs
CriticalPrevious Version Dangerous Deltapackages/ui/src/api/use-api/react-query/use-api.ts
MediumSecret Patternapps/cli/src/commands/common/hashing.ts
MediumDynamic Requireapps/startx-cli/dist/index.mjs
MediumUnsafe Vm Contextpackages/aix/src/tools/system/index.ts
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalpackages/aix/src/lib/convertor/variable-resolver.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings