Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/yarr.jsView file
5const path = require("node:path");
L6: const { spawnSync } = require("node:child_process");
L7: const { binaryPath } = require("../lib/platform");
High
scripts/install.jsView file
4const fs = require("node:fs");
L5: const https = require("node:https");
L6: const os = require("node:os");
L7: const path = require("node:path");
L8: const { spawnSync } = require("node:child_process");
L9: const {
...
L17: function log(message) {
L18: process.stderr.write(`yarr: ${message}\n`);
L19: }
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
scripts/install.jsView on unpkg · L4Findings
3 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/yarr.js
HighCommand Output Exfiltrationscripts/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings