registry  /  vibemux-worker-preview  /  0.3.60-preview.cfa3d03c

vibemux-worker-preview@0.3.60-preview.cfa3d03c

⚠ Under review

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.24 MB of source, external domains: 127.0.0.1, api.github.com, claude.ai, code-server.dev, github.com, opencode.ai, react.dev, vibemux.xyz, www.apple.com, www.w3.org

Source & flagged code

8 flagged · loading source
dist-worker/apps/worker/src/index.jsView file
1var _O=Object.create;var vp=Object.defineProperty;var GO=Object.getOwnPropertyDescriptor;var YO=Object.getOwnPropertyNames;var VO=Object.getPrototypeOf,qO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},cW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},iH=()=>({cloudUrl:Nl(),machineId:sH(),machineName:bn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};QD.exports=Rm});var xm=b((fde,b
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
4`,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Child Process

Package source references child process execution.

dist-worker/apps/worker/src/index.jsView on unpkg · L4
1var _O=Object.create;var vp=Object.defineProperty;var GO=Object.getOwnPropertyDescriptor;var YO=Object.getOwnPropertyNames;var VO=Object.getPrototypeOf,qO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},cW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},iH=()=>({cloudUrl:Nl(),machineId:sH(),machineName:bn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var _O=Object.create;var vp=Object.defineProperty;var GO=Object.getOwnPropertyDescriptor;var YO=Object.getOwnPropertyNames;var VO=Object.getPrototypeOf,qO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},cW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},iH=()=>({cloudUrl:Nl(),machineId:sH(),machineName:bn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var _O=Object.create;var vp=Object.defineProperty;var GO=Object.getOwnPropertyDescriptor;var YO=Object.getOwnPropertyNames;var VO=Object.getPrototypeOf,qO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},cW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},iH=()=>({cloudUrl:Nl(),machineId:sH(),machineName:bn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};QD.exports=Rm});var xm=b((fde,b
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var _O=Object.create;var vp=Object.defineProperty;var GO=Object.getOwnPropertyDescriptor;var YO=Object.getOwnPropertyNames;var VO=Object.getPrototypeOf,qO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},cW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},iH=()=>({cloudUrl:Nl(),machineId:sH(),machineName:bn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};QD.exports=Rm});var xm=b((fde,b
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var _O=Object.create;var vp=Object.defineProperty;var GO=Object.getOwnPropertyDescriptor;var YO=Object.getOwnPropertyNames;var VO=Object.getPrototypeOf,qO=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},cW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},iH=()=>({cloudUrl:Nl(),machineId:sH(),machineName:bn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=tH();Gy()&&(r.cloudUrl=Nl()),zW(r.cloudUrl)&&(r.cloudUrl=Nl());let s=Number(process.env.VIBEMUX_WORKER_PORT?.trim());Number.isFinite(s)&&s>0&&(r.l... L5: `,"utf8")},Xy=()=>jy().opencodeConfigContent,Ul=()=>mi(Vy()),Pl=()=>mi(qy()),jp=()=>mi(eH()),Fl=(e=W(),t)=>{let r=it().effectiveCloudUrl?.trim()||e.cloudUrl;return Dl(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function l2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};QD.exports=Rm});var xm=b((fde,b
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
bin/node-wrapper.mjsView file
32process.env.VIBEMUX_WORKER_EXECUTABLE_PATH = workerBin L33: await import(pathToFileURL(path.join(appRoot, 'dist-worker', 'apps', 'worker', 'src', 'index.js')).href)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/node-wrapper.mjsView on unpkg · L32

Findings

1 Critical4 High5 Medium6 Low
CriticalCredential Exfiltrationdist-worker/apps/worker/src/index.js
HighChild Processdist-worker/apps/worker/src/index.js
HighSame File Env Network Executiondist-worker/apps/worker/src/index.js
HighCommand Output Exfiltrationdist-worker/apps/worker/src/index.js
HighSandbox Evasion Gated Capabilitydist-worker/apps/worker/src/index.js
MediumDynamic Requirebin/node-wrapper.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-worker/apps/worker/src/index.js
MediumStructural Risk Force Deep Review
LowWeak Cryptodist-worker/apps/worker/src/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License