registry  /  xypriss  /  9.12.5

xypriss@9.12.5

⚠ Under review

XyPriss is a high-performance, TypeScript-first hyper-system web framework powered by a native Go core (XHSC), featuring robust multi-tenant sandboxing, secure native file streaming, and zero Express dependencies.

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 10 file(s), 2.51 MB of source, external domains: 127.0.0.1, api.nehonix.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, dll.nehonix.com, fonts.googleapis.com, fonts.gstatic.com, github.com, lab.nehonix.com, xypriss.nehonix.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
name = xypriss; similarTo = cypress
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg
dist/esm/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = xypriss@9.12.4 matchedIdentity = npm:eHlwcmlzcw:9.12.4 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/esm/index.jsView on unpkg
7import crypto__default, { timingSafeEqual } from 'crypto'; L8: import { execFileSync, spawn } from 'node:child_process'; L9: import * as fs from 'node:fs'; ... L11: import { fileURLToPath } from 'node:url'; L12: import * as net from 'node:net'; L13: import * as fs$1 from 'fs'; ... L344: */ L345: const canColor = () => typeof process === "undefined" || !("NO_COLOR" in process.env); L346: // ───────────────────────────────────────────── ... L821: catch { L822: process?.stderr?.write(`[LOGGER_FAILURE] ${message}\n`); L823: }
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/esm/index.jsView on unpkg · L7
129function getSysApi() { L130: return require("../../xhsc").localSysApi; L131: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/esm/index.jsView on unpkg · L129
7import crypto__default, { timingSafeEqual } from 'crypto'; L8: import { execFileSync, spawn } from 'node:child_process'; L9: import * as fs from 'node:fs'; ... L11: import { fileURLToPath } from 'node:url'; L12: import * as net from 'node:net'; L13: import * as fs$1 from 'fs'; ... L344: */ L345: const canColor = () => typeof process === "undefined" || !("NO_COLOR" in process.env); L346: // ───────────────────────────────────────────── ... L821: catch { L822: process?.stderr?.write(`[LOGGER_FAILURE] ${message}\n`); L823: }
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/esm/index.jsView on unpkg · L7
7import crypto__default, { timingSafeEqual } from 'crypto'; L8: import { execFileSync, spawn } from 'node:child_process'; L9: import * as fs from 'node:fs'; ... L11: import { fileURLToPath } from 'node:url'; L12: import * as net from 'node:net'; L13: import * as fs$1 from 'fs'; ... L344: */ L345: const canColor = () => typeof process === "undefined" || !("NO_COLOR" in process.env); L346: // ───────────────────────────────────────────── ... L821: catch { L822: process?.stderr?.write(`[LOGGER_FAILURE] ${message}\n`); L823: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/esm/index.jsView on unpkg · L7
scripts/monitor_memory.shView file
path = scripts/monitor_memory.sh kind = build_helper sizeBytes = 3955 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/monitor_memory.shView on unpkg
dist/index.d.tsView file
619patternName = generic_password severity = medium line = 619 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/index.d.ts

dist/index.d.tsView on unpkg · L619

Findings

1 Critical2 High10 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/esm/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/esm/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumTyposquat Namepackage.json
MediumDynamic Requiredist/esm/index.js
MediumUnsafe Vm Contextdist/esm/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/esm/index.js
MediumShips Build Helperscripts/monitor_memory.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License