registry  /  vde-monitor  /  0.10.3

vde-monitor@0.10.3

⚠ Under review

Monitor tmux sessions with a web UI.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 306 file(s), 11.0 MB of source, external domains: api.anthropic.com, fb.me, github.com, json-schema.org, platform.claude.com, raw.githubusercontent.com, react.dev, www.w3.org

Source & flagged code

3 flagged · loading source
dist/web/assets/sass-DXrisJhu.jsView file
1var e=[Object.freeze(JSON.parse(`{"displayName":"Sass","fileTypes":["sass"],"foldingStartMarker":"/\\\\*|^#|^\\\\*|^\\\\b|\\\\*#?region|^\\\\.","foldingStopMarker":"\\\\*/|\\\\*#?e...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web/assets/sass-DXrisJhu.jsView on unpkg · L1
dist/index.jsView file
10import webpush from "web-push"; L11: import { createConnection, createServer } from "node:net"; L12: import { execFile, spawn } from "node:child_process"; L13: import fs$1, { chmod, lstat, mkdir, open, readFile, readdir, realpath, stat, unlink } from "node:fs/promises"; ... L707: if (path.extname(configPath).toLowerCase() === ".json") try { L708: return JSON.parse(raw); L709: } catch { ... L896: const getTokenDir = () => { L897: return path.join(os.homedir(), ".vde-monitor"); L898: }; ... L1092: title: "Permission required", L1093: body: `${paneLabel} is waiting for permission`,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L10
dist/web/assets/index-SbBNe9Vz.jsView file
144contains invisible/control Unicode U+2060 (word joiner) `,Nfr:()=>eN,NoBreak:()=>`<U+2060>`,NonBreakingSpace:()=>`\xA0`,Nopf:()=>`ℕ`,Not:()=>`⫬`,NotCongruent:()=>`≢`,NotCupCap:()=>`≭`,NotDoubleVerticalBar:()=>`∦`,NotElement:()=>`∉`,NotEqual:()=>`≠`,NotEqualTilde:()=>_N,NotExists:()=>`∄`,NotGreat
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/web/assets/index-SbBNe9Vz.jsView on unpkg · L144

Findings

1 Critical4 Medium6 Low
CriticalTrojan Source Unicodedist/web/assets/index-SbBNe9Vz.js
MediumDynamic Requiredist/web/assets/sass-DXrisJhu.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings