registry  /  tmex-cli  /  0.16.4

tmex-cli@0.16.4

Node.js-compatible CLI for initializing, diagnosing, upgrading, and uninstalling tmex deployment.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 74 file(s), 5.13 MB of source, external domains: 127.0.0.1, api.openai.com, api.vercel.com, base-ui.com, brew.sh, bun.sh, chevrotain.io, en.wikipedia.org, example.com, github.com, jquery.org, langium.org, lodash.com, openjsf.org, react.dev, tldrlegal.com, underscorejs.org, vercel.com, www.apple.com, www.w3.org
Oversized source lightweight scan
dist/runtime/server.js4.14 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsapi.vercel.combrew.shvercel.com

Source & flagged code

8 flagged · loading source
resources/fe-dist/assets/en_US-BihUhDmr.jsView file
1patternName = private_key_openssh severity = critical line = 1 matchedText = const e=...on};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

resources/fe-dist/assets/en_US-BihUhDmr.jsView on unpkg · L1
1patternName = private_key_openssh severity = critical line = 1 matchedText = const e=...on};
Critical
Secret Pattern

OpenSSH private key in resources/fe-dist/assets/en_US-BihUhDmr.js

resources/fe-dist/assets/en_US-BihUhDmr.jsView on unpkg · L1
dist/runtime/cpufeatures-dxrn1j88.nodeView file
path = dist/runtime/cpufeatures-dxrn1j88.node kind = native_binary sizeBytes = 61424 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/runtime/cpufeatures-dxrn1j88.nodeView on unpkg
dist/runtime/assets/ghostty-vt.wasmView file
path = dist/runtime/assets/ghostty-vt.wasm kind = wasm_module sizeBytes = 554837 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/runtime/assets/ghostty-vt.wasmView on unpkg
resources/fe-dist/fonts/generated/jetbrains-mono/jetbrains-mono-bold.woff2View file
path = resources/fe-dist/fonts/generated/jetbrains-mono/jetbrains-mono-bold.woff2 kind = high_entropy_blob sizeBytes = 1046588 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

resources/fe-dist/fonts/generated/jetbrains-mono/jetbrains-mono-bold.woff2View on unpkg
dist/runtime/server.jsView file
path = dist/runtime/server.js kind = oversized_source_file sizeBytes = 4345373 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/runtime/server.jsView on unpkg
resources/fe-dist/assets/zh_CN-CPdvelFW.jsView file
1patternName = private_key_openssh severity = critical line = 1 matchedText = const e=...on};
Critical
Secret Pattern

OpenSSH private key in resources/fe-dist/assets/zh_CN-CPdvelFW.js

resources/fe-dist/assets/zh_CN-CPdvelFW.jsView on unpkg · L1
resources/fe-dist/assets/ja_JP-f5sXmz8W.jsView file
1patternName = private_key_openssh severity = critical line = 1 matchedText = const e=...on};
Critical
Secret Pattern

OpenSSH private key in resources/fe-dist/assets/ja_JP-f5sXmz8W.js

resources/fe-dist/assets/ja_JP-f5sXmz8W.jsView on unpkg · L1

Findings

4 Critical2 High7 Medium7 Low
CriticalCritical Secretresources/fe-dist/assets/en_US-BihUhDmr.js
CriticalSecret Patternresources/fe-dist/assets/en_US-BihUhDmr.js
CriticalSecret Patternresources/fe-dist/assets/zh_CN-CPdvelFW.js
CriticalSecret Patternresources/fe-dist/assets/ja_JP-f5sXmz8W.js
HighShips High Entropy Blobresources/fe-dist/fonts/generated/jetbrains-mono/jetbrains-mono-bold.woff2
HighOversized Source Filedist/runtime/server.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarydist/runtime/cpufeatures-dxrn1j88.node
MediumShips Wasm Moduledist/runtime/assets/ghostty-vt.wasm
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License