registry  /  trybeacon  /  0.1.77

trybeacon@0.1.77

⚠ Under review

The visual planning surface for the coding agent in your terminal.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 572 KB of source, external domains: bun.sh, registry.npmjs.org, www.trybeacon.sh

Source & flagged code

8 flagged · loading source
dist/bin/remove.jsView file
2// @bun L3: var b5=Object.defineProperty;var p5=(Z)=>Z;function c5(Z,$){this[Z]=p5.bind(null,$)}var gZ=(Z,$)=>{for(var Q in $)b5(Z,Q,{get:$[Q],enumerable:!0,configurable:!0,set:c5.bind($,Q)})}... L4: `)){let U=W.trim().match(/^(\w+)\s+(\w+(?:\[\])?\??)\s*(.*)$/);if(!U||/^@@/.test(W.trim()))continue;let[,C,L,q]=U,H=/^(String|Int|BigInt|Float|Decimal|Boolean|DateTime|Json|Bytes)(...
High
Child Process

Package source references child process execution.

dist/bin/remove.jsView on unpkg · L2
2// @bun L3: var b5=Object.defineProperty;var p5=(Z)=>Z;function c5(Z,$){this[Z]=p5.bind(null,$)}var gZ=(Z,$)=>{for(var Q in $)b5(Z,Q,{get:$[Q],enumerable:!0,configurable:!0,set:c5.bind($,Q)})}... L4: `)){let U=W.trim().match(/^(\w+)\s+(\w+(?:\[\])?\??)\s*(.*)$/);if(!U||/^@@/.test(W.trim()))continue;let[,C,L,q]=U,H=/^(String|Int|BigInt|Float|Decimal|Boolean|DateTime|Json|Bytes)(... ... L6: \x1B[1m${Z}\x1B[0m`;function b8(){if(!MZ)return g(ZZ(FZ(process.cwd())));if(/^[0-9a-f]{12}$/.test(MZ)){let Z=g(MZ);if(Z)return Z}return g(ZZ(FZ(x5(MZ))))}var s=b8();if(!s)console.e... L7: `),process.exit(0);async function p8(Z){try{let{pid:$,port:Q}=JSON.parse(m8(x5(t(),"server.json"),"utf8"));if(!$||!Q)return!1;return process.kill($,0),(await fetch(`http://localhos... L8: `);else{let Z=await y5(s.id);if(!Z.ok)console.error(`[beacon] remove failed: ${Z.error??"unknown error"}`),process.exit(1);console.log(` ${u5(`removed ${s.name}`)}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/remove.jsView on unpkg · L2
2// @bun L3: var b5=Object.defineProperty;var p5=(Z)=>Z;function c5(Z,$){this[Z]=p5.bind(null,$)}var gZ=(Z,$)=>{for(var Q in $)b5(Z,Q,{get:$[Q],enumerable:!0,configurable:!0,set:c5.bind($,Q)})}... L4: `)){let U=W.trim().match(/^(\w+)\s+(\w+(?:\[\])?\??)\s*(.*)$/);if(!U||/^@@/.test(W.trim()))continue;let[,C,L,q]=U,H=/^(String|Int|BigInt|Float|Decimal|Boolean|DateTime|Json|Bytes)(... ... L6: \x1B[1m${Z}\x1B[0m`;function b8(){if(!MZ)return g(ZZ(FZ(process.cwd())));if(/^[0-9a-f]{12}$/.test(MZ)){let Z=g(MZ);if(Z)return Z}return g(ZZ(FZ(x5(MZ))))}var s=b8();if(!s)console.e... L7: `),process.exit(0);async function p8(Z){try{let{pid:$,port:Q}=JSON.parse(m8(x5(t(),"server.json"),"utf8"));if(!$||!Q)return!1;return process.kill($,0),(await fetch(`http://localhos... L8: `);else{let Z=await y5(s.id);if(!Z.ok)console.error(`[beacon] remove failed: ${Z.error??"unknown error"}`),process.exit(1);console.log(` ${u5(`removed ${s.name}`)}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/remove.jsView on unpkg · L2
dist/bin/beacon.jsView file
2// @bun L3: import{execSync as F,spawn as c}from"child_process";import{existsSync as f,mkdirSync as d,openSync as p,readFileSync as h,writeFileSync as t}from"fs";import{homedir as l,platform a... L4: \u25C9 Beacon setup \xB7 ${z}`),console.log(` \u2713 skill: ${H}`),console.log(` \u2713 skill: ${w}`);for(let y of L)console.log(` \u2713 skill: ${y}`);console.log(` ${I.add...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/beacon.jsView on unpkg · L2
public/install.shView file
path = public/install.sh kind = build_helper sizeBytes = 3755 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

public/install.shView on unpkg
.next/server/app/apple-icon.png.bodyView file
path = .next/server/app/apple-icon.png.body kind = high_entropy_blob sizeBytes = 18923 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/apple-icon.png.bodyView on unpkg
path = .next/server/app/apple-icon.png.body kind = payload_in_excluded_dir sizeBytes = 18923 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/apple-icon.png.bodyView on unpkg
dist/bin/ask.jsView file
matchType = previous_version_dangerous_delta matchedPackage = trybeacon@0.1.74 matchedIdentity = npm:dHJ5YmVhY29u:0.1.74 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/ask.jsView on unpkg

Findings

1 Critical5 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/bin/ask.js
HighChild Processdist/bin/remove.js
HighSame File Env Network Executiondist/bin/remove.js
HighCommand Output Exfiltrationdist/bin/remove.js
HighShips High Entropy Blob.next/server/app/apple-icon.png.body
HighPayload In Excluded Dir.next/server/app/apple-icon.png.body
MediumDynamic Requiredist/bin/beacon.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpublic/install.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings