registry  /  trybeacon  /  0.1.74

trybeacon@0.1.74

The visual planning surface for the coding agent in your terminal.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 566 KB of source, external domains: bun.sh, registry.npmjs.org, www.trybeacon.sh

Source & flagged code

7 flagged · loading source
dist/bin/remove.jsView file
2// @bun L3: var c5=Object.defineProperty;var l5=(Z)=>Z;function d5(Z,$){this[Z]=l5.bind(null,$)}var fZ=(Z,$)=>{for(var Q in $)c5(Z,Q,{get:$[Q],enumerable:!0,configurable:!0,set:d5.bind($,Q)})}... L4: `)){let U=W.trim().match(/^(\w+)\s+(\w+(?:\[\])?\??)\s*(.*)$/);if(!U||/^@@/.test(W.trim()))continue;let[,N,L,q]=U,H=/^(String|Int|BigInt|Float|Decimal|Boolean|DateTime|Json|Bytes)(...
High
Child Process

Package source references child process execution.

dist/bin/remove.jsView on unpkg · L2
2// @bun L3: var c5=Object.defineProperty;var l5=(Z)=>Z;function d5(Z,$){this[Z]=l5.bind(null,$)}var fZ=(Z,$)=>{for(var Q in $)c5(Z,Q,{get:$[Q],enumerable:!0,configurable:!0,set:d5.bind($,Q)})}... L4: `)){let U=W.trim().match(/^(\w+)\s+(\w+(?:\[\])?\??)\s*(.*)$/);if(!U||/^@@/.test(W.trim()))continue;let[,N,L,q]=U,H=/^(String|Int|BigInt|Float|Decimal|Boolean|DateTime|Json|Bytes)(... ... L6: \x1B[1m${Z}\x1B[0m`;function b8(){if(!MZ)return g(ZZ(FZ(process.cwd())));if(/^[0-9a-f]{12}$/.test(MZ)){let Z=g(MZ);if(Z)return Z}return g(ZZ(FZ(g5(MZ))))}var s=b8();if(!s)console.e... L7: `),process.exit(0);async function p8(Z){try{let{pid:$,port:Q}=JSON.parse(m8(g5(t(),"server.json"),"utf8"));if(!$||!Q)return!1;return process.kill($,0),(await fetch(`http://localhos... L8: `);else{let Z=await x5(s.id);if(!Z.ok)console.error(`[beacon] remove failed: ${Z.error??"unknown error"}`),process.exit(1);console.log(` ${f5(`removed ${s.name}`)}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/remove.jsView on unpkg · L2
2// @bun L3: var c5=Object.defineProperty;var l5=(Z)=>Z;function d5(Z,$){this[Z]=l5.bind(null,$)}var fZ=(Z,$)=>{for(var Q in $)c5(Z,Q,{get:$[Q],enumerable:!0,configurable:!0,set:d5.bind($,Q)})}... L4: `)){let U=W.trim().match(/^(\w+)\s+(\w+(?:\[\])?\??)\s*(.*)$/);if(!U||/^@@/.test(W.trim()))continue;let[,N,L,q]=U,H=/^(String|Int|BigInt|Float|Decimal|Boolean|DateTime|Json|Bytes)(... ... L6: \x1B[1m${Z}\x1B[0m`;function b8(){if(!MZ)return g(ZZ(FZ(process.cwd())));if(/^[0-9a-f]{12}$/.test(MZ)){let Z=g(MZ);if(Z)return Z}return g(ZZ(FZ(g5(MZ))))}var s=b8();if(!s)console.e... L7: `),process.exit(0);async function p8(Z){try{let{pid:$,port:Q}=JSON.parse(m8(g5(t(),"server.json"),"utf8"));if(!$||!Q)return!1;return process.kill($,0),(await fetch(`http://localhos... L8: `);else{let Z=await x5(s.id);if(!Z.ok)console.error(`[beacon] remove failed: ${Z.error??"unknown error"}`),process.exit(1);console.log(` ${f5(`removed ${s.name}`)}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/remove.jsView on unpkg · L2
dist/bin/beacon.jsView file
2// @bun L3: import{execSync as F,spawn as c}from"child_process";import{existsSync as f,mkdirSync as d,openSync as p,readFileSync as h,writeFileSync as t}from"fs";import{homedir as l,platform a... L4: \u25C9 Beacon setup \xB7 ${z}`),console.log(` \u2713 skill: ${H}`),console.log(` \u2713 skill: ${w}`);for(let y of L)console.log(` \u2713 skill: ${y}`);console.log(` ${I.add...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/beacon.jsView on unpkg · L2
public/install.shView file
path = public/install.sh kind = build_helper sizeBytes = 3755 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

public/install.shView on unpkg
.next/server/app/apple-icon.png.bodyView file
path = .next/server/app/apple-icon.png.body kind = high_entropy_blob sizeBytes = 18923 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/apple-icon.png.bodyView on unpkg
path = .next/server/app/apple-icon.png.body kind = payload_in_excluded_dir sizeBytes = 18923 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/apple-icon.png.bodyView on unpkg

Findings

5 High5 Medium4 Low
HighChild Processdist/bin/remove.js
HighSame File Env Network Executiondist/bin/remove.js
HighCommand Output Exfiltrationdist/bin/remove.js
HighShips High Entropy Blob.next/server/app/apple-icon.png.body
HighPayload In Excluded Dir.next/server/app/apple-icon.png.body
MediumDynamic Requiredist/bin/beacon.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpublic/install.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings