registry  /  vibemux-worker-preview  /  0.3.87-preview.b953720c

vibemux-worker-preview@0.3.87-preview.b953720c

⚠ Under review

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.25 MB of source, external domains: 127.0.0.1, api.github.com, claude.ai, github.com, opencode.ai, react.dev, vibemux.xyz, www.apple.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist-worker/apps/worker/src/index.jsView file
1var cW=Object.create;var Yp=Object.defineProperty;var lW=Object.getOwnPropertyDescriptor;var uW=Object.getOwnPropertyNames;var dW=Object.getPrototypeOf,gW=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},xW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},bH=()=>({cloudUrl:Ol(),machineId:kH(),machineName:xn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=yH();iQ()&&(r.cloudUrl=Ol()),EH({cloudUrl:r.cloudUrl,hasSavedPairing:!!(r.executorId&&r.executorToken)})&&(r.cloudUrl=Ol());let s=Number(process.e... L5: `,"utf8")},pQ=()=>dQ().opencodeConfigContent,Hl=()=>Bi(AQ()),_l=()=>Bi(cQ()),ah=()=>Bi(BH()),Gl=(e=H(),t)=>{let r=Je().effectiveCloudUrl?.trim()||e.cloudUrl;return Ul(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function v2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};HD.exports=Wm});var _m=b((Yde,V
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
4`,"utf8"),r.workspaceRoot=n;let o=yH();iQ()&&(r.cloudUrl=Ol()),EH({cloudUrl:r.cloudUrl,hasSavedPairing:!!(r.executorId&&r.executorToken)})&&(r.cloudUrl=Ol());let s=Number(process.e... L5: `,"utf8")},pQ=()=>dQ().opencodeConfigContent,Hl=()=>Bi(AQ()),_l=()=>Bi(cQ()),ah=()=>Bi(BH()),Gl=(e=H(),t)=>{let r=Je().effectiveCloudUrl?.trim()||e.cloudUrl;return Ul(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function v2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Child Process

Package source references child process execution.

dist-worker/apps/worker/src/index.jsView on unpkg · L4
1var cW=Object.create;var Yp=Object.defineProperty;var lW=Object.getOwnPropertyDescriptor;var uW=Object.getOwnPropertyNames;var dW=Object.getPrototypeOf,gW=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},xW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},bH=()=>({cloudUrl:Ol(),machineId:kH(),machineName:xn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=yH();iQ()&&(r.cloudUrl=Ol()),EH({cloudUrl:r.cloudUrl,hasSavedPairing:!!(r.executorId&&r.executorToken)})&&(r.cloudUrl=Ol());let s=Number(process.e... L5: `,"utf8")},pQ=()=>dQ().opencodeConfigContent,Hl=()=>Bi(AQ()),_l=()=>Bi(cQ()),ah=()=>Bi(BH()),Gl=(e=H(),t)=>{let r=Je().effectiveCloudUrl?.trim()||e.cloudUrl;return Ul(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function v2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var cW=Object.create;var Yp=Object.defineProperty;var lW=Object.getOwnPropertyDescriptor;var uW=Object.getOwnPropertyNames;var dW=Object.getPrototypeOf,gW=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},xW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},bH=()=>({cloudUrl:Ol(),machineId:kH(),machineName:xn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=yH();iQ()&&(r.cloudUrl=Ol()),EH({cloudUrl:r.cloudUrl,hasSavedPairing:!!(r.executorId&&r.executorToken)})&&(r.cloudUrl=Ol());let s=Number(process.e... L5: `,"utf8")},pQ=()=>dQ().opencodeConfigContent,Hl=()=>Bi(AQ()),_l=()=>Bi(cQ()),ah=()=>Bi(BH()),Gl=(e=H(),t)=>{let r=Je().effectiveCloudUrl?.trim()||e.cloudUrl;return Ul(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function v2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var cW=Object.create;var Yp=Object.defineProperty;var lW=Object.getOwnPropertyDescriptor;var uW=Object.getOwnPropertyNames;var dW=Object.getPrototypeOf,gW=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},xW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},bH=()=>({cloudUrl:Ol(),machineId:kH(),machineName:xn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=yH();iQ()&&(r.cloudUrl=Ol()),EH({cloudUrl:r.cloudUrl,hasSavedPairing:!!(r.executorId&&r.executorToken)})&&(r.cloudUrl=Ol());let s=Number(process.e... L5: `,"utf8")},pQ=()=>dQ().opencodeConfigContent,Hl=()=>Bi(AQ()),_l=()=>Bi(cQ()),ah=()=>Bi(BH()),Gl=(e=H(),t)=>{let r=Je().effectiveCloudUrl?.trim()||e.cloudUrl;return Ul(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function v2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};HD.exports=Wm});var _m=b((Yde,V
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
1var cW=Object.create;var Yp=Object.defineProperty;var lW=Object.getOwnPropertyDescriptor;var uW=Object.getOwnPropertyNames;var dW=Object.getPrototypeOf,gW=Object.prototype.hasOwnPr... L2: `;)s+=1;s<e.length&&(t+=e[s]);continue}if(i==="/"&&a==="*"){for(s+=2;s<e.length-1&&!(e[s]==="*"&&e[s+1]==="/");)s+=1;s+=1;continue}t+=i}return t},xW=e=>{let t="",r=!1,n='"',o=!1;fo... L3: `,"utf8"),r},bH=()=>({cloudUrl:Ol(),machineId:kH(),machineName:xn.hostname(),opencodeConfigContent:"",codexConfigContent:"",codexAuthContent:"",claudeCodeConfigContent:"",piAgentDi... L4: `,"utf8"),r.workspaceRoot=n;let o=yH();iQ()&&(r.cloudUrl=Ol()),EH({cloudUrl:r.cloudUrl,hasSavedPairing:!!(r.executorId&&r.executorToken)})&&(r.cloudUrl=Ol());let s=Number(process.e... L5: `,"utf8")},pQ=()=>dQ().opencodeConfigContent,Hl=()=>Bi(AQ()),_l=()=>Bi(cQ()),ah=()=>Bi(BH()),Gl=(e=H(),t)=>{let r=Je().effectiveCloudUrl?.trim()||e.cloudUrl;return Ul(e.opencodeCon... L6: `)||e.includes("\r")||e.includes("\0"))===!1}function v2(e){let t=(e.headersList.get("referrer-policy",!0)??"").split(","),r="";if(t.length)for(let n=t.length;n!==0;n--){let o=t[n-... ... L47: L48: ${t.format(r)}`.trim())}};HD.exports=Wm});var _m=b((Yde,V
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-worker/apps/worker/src/index.jsView on unpkg · L1
bin/node-wrapper.mjsView file
32process.env.VIBEMUX_WORKER_EXECUTABLE_PATH = workerBin L33: await import(pathToFileURL(path.join(appRoot, 'dist-worker', 'apps', 'worker', 'src', 'index.js')).href)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/node-wrapper.mjsView on unpkg · L32

Findings

1 Critical3 High5 Medium6 Low
CriticalCredential Exfiltrationdist-worker/apps/worker/src/index.js
HighChild Processdist-worker/apps/worker/src/index.js
HighSame File Env Network Executiondist-worker/apps/worker/src/index.js
HighCommand Output Exfiltrationdist-worker/apps/worker/src/index.js
MediumDynamic Requirebin/node-wrapper.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-worker/apps/worker/src/index.js
MediumStructural Risk Force Deep Review
LowWeak Cryptodist-worker/apps/worker/src/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License