registry  /  vibemux-worker-preview  /  0.3.58-preview.7c4010ae

vibemux-worker-preview@0.3.58-preview.7c4010ae

⚠ Under review

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.21 MB of source, external domains: 127.0.0.1, api.github.com, api.ipify.org, checkip.amazonaws.com, claude.ai, code-server.dev, opencode.ai, react.dev, www.apple.com, www.w3.org

Source & flagged code

8 flagged · loading source
dist-worker/apps/worker/src/index.jsView file
1var sO=Object.create;var Bp=Object.defineProperty;var iO=Object.getOwnPropertyDescriptor;var aO=Object.getOwnPropertyNames;var AO=Object.getPrototypeOf,cO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},kO=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},wW=()=>({cloudUrl:wl(),machineId:QW(),machineName:Qn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};CD.exports=ym});var wm=b((sde,w
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
4`,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Child Process

Package source references child process execution.

dist-worker/apps/worker/src/index.jsView on unpkg · L4
1var sO=Object.create;var Bp=Object.defineProperty;var iO=Object.getOwnPropertyDescriptor;var aO=Object.getOwnPropertyNames;var AO=Object.getPrototypeOf,cO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},kO=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},wW=()=>({cloudUrl:wl(),machineId:QW(),machineName:Qn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var sO=Object.create;var Bp=Object.defineProperty;var iO=Object.getOwnPropertyDescriptor;var aO=Object.getOwnPropertyNames;var AO=Object.getPrototypeOf,cO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},kO=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},wW=()=>({cloudUrl:wl(),machineId:QW(),machineName:Qn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var sO=Object.create;var Bp=Object.defineProperty;var iO=Object.getOwnPropertyDescriptor;var aO=Object.getOwnPropertyNames;var AO=Object.getPrototypeOf,cO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},kO=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},wW=()=>({cloudUrl:wl(),machineId:QW(),machineName:Qn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};CD.exports=ym});var wm=b((sde,w
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var sO=Object.create;var Bp=Object.defineProperty;var iO=Object.getOwnPropertyDescriptor;var aO=Object.getOwnPropertyNames;var AO=Object.getPrototypeOf,cO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},kO=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},wW=()=>({cloudUrl:wl(),machineId:QW(),machineName:Qn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};CD.exports=ym});var wm=b((sde,w
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var sO=Object.create;var Bp=Object.defineProperty;var iO=Object.getOwnPropertyDescriptor;var aO=Object.getOwnPropertyNames;var AO=Object.getPrototypeOf,cO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},kO=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},wW=()=>({cloudUrl:wl(),machineId:QW(),machineName:Qn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=IW();Cy()&&(r.cloudUrl=wl()),pW(r.cloudUrl)&&(r.cloudUrl=wl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Ry=()=>ky().opencodeConfigContent,kl=()=>gi(yy()),bl=()=>gi(Qy()),Fp=()=>gi(mW()),Rl=(e=V(),t)=>{let r=Ot().effectiveCloudUrl?.trim()||e.cloudUrl;return Il(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function g2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};CD.exports=ym});var wm=b((sde,w
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
bin/node-wrapper.mjsView file
12process.env.VIBEMUX_WORKER_EXECUTABLE_PATH = workerBin L13: await import(path.join(appRoot, 'dist-worker', 'apps', 'worker', 'src', 'index.js'))
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/node-wrapper.mjsView on unpkg · L12

Findings

1 Critical4 High5 Medium6 Low
CriticalCredential Exfiltrationdist-worker/apps/worker/src/index.js
HighChild Processdist-worker/apps/worker/src/index.js
HighSame File Env Network Executiondist-worker/apps/worker/src/index.js
HighCommand Output Exfiltrationdist-worker/apps/worker/src/index.js
HighSandbox Evasion Gated Capabilitydist-worker/apps/worker/src/index.js
MediumDynamic Requirebin/node-wrapper.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-worker/apps/worker/src/index.js
MediumStructural Risk Force Deep Review
LowWeak Cryptodist-worker/apps/worker/src/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License