Static Scan Results
scanned 23h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcesrc/graph/internal-builder.langs.jsView file
20L21: const require = createRequire(import.meta.url);
L22: const { Parser, Language, Query } = require("web-tree-sitter");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/graph/internal-builder.langs.jsView on unpkg · L20src/analysis/findings.jsView file
1// Unified Finding factory + rollups for the internal dependency/security engine (DEPS_SECURITY_PLAN.md §2.3).
L2: // Every analyzer (unused / structure / vulnerability / malware) and the external-tool adapter emit THIS shape,
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/analysis/findings.jsView on unpkg · L1src/security/registry-sig.rules.jsView file
36// canonical reverse/bind shells — a shell wired to a socket. Essentially never legitimate inside a
L37: // published package: /dev/tcp redirection, netcat -e, interactive-shell redirect, mkfifo pipe shell.
L38: pattern: "/dev/tcp/[0-9]|\\bnc(at)?\\s+-e\\b|\\b(ba)?sh\\s+-i\\b\\s*(2)?>&|mkfifo\\b.{0,60}(ba)?sh\\b|0<&196|socket\\.socket\\(.{0,40}(SOCK_STREAM).{0,80}(/bin/sh|exec)",
L39: re: /\/dev\/tcp\/[0-9]|\bnc(at)?\s+-e\b|\b(ba)?sh\s+-i\b\s*(2)?>&|mkfifo\b[\s\S]{0,60}?\b(ba)?sh\b|0<&196|socket\.socket\([\s\S]{0,120}?(connect|SOCK_STREAM)[\s\S]{0,180}?(\/bin\/s...
...
L48: // bun-types false positive). /etc/passwd + .netrc dropped (too common in prose).
L49: pattern: "\\.ssh/(id_rsa|id_ed25519|id_dsa|authorized_keys)|\\.aws/credentials|\\.git-credentials|/etc/shadow|\\.docker/config\\.json|\\.kube/config",
L50: re: /(readFileSync|readFile|createReadStream|openSync|\.read\(|copyFile|readlink|Get-Content|\bcat\s|\bscp\s|\bcurl\b[^\n]*-[TF])[\s\S]{0,80}?(\.ssh\/(id_(rsa|ed25519|dsa)|authoriz...
L51: what: "reads a credential/secret file (SSH key, cloud creds) in a filesystem-read context",
...
L61: re: /require\(\s*(Buffer\.from|atob)\(|module\.constructor\._load|globalThis\[['"
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/security/registry-sig.rules.jsView on unpkg · L36Findings
1 High4 Medium5 Low
HighCloud Metadata Accesssrc/security/registry-sig.rules.js
MediumDynamic Requiresrc/graph/internal-builder.langs.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/analysis/findings.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings