registry  /  zen-gitsync  /  2.15.3

zen-gitsync@2.15.3

⚠ Under review

Auto commit, scheduled sync, and visual GUI for Git. Run `g` in any repo for one-key commit & push, AI commit messages, scheduled background sync, and a drag-and-drop workflow builder.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 99 file(s), 7.19 MB of source, external domains: 127.0.0.1, bugzilla.mozilla.org, code.google.com, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, r12a.github.io, registry.npmjs.org, rolldown.rs, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.npmjs.com, www.w3.org, www.whatwg.org
Oversized source lightweight scan
src/ui/public/assets/monaco-BFLoT2VD.js3.99 MB file, sampled 256 KB
HighEntropyStringsMinified
src/ui/public/assets/ts.worker-B0J26iPs.js6.58 MB file, sampled 256 KB
FilesystemNetworkChildProcess
src/ui/public/assets/vendor-DTvkqYXo.js9.13 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

10 flagged · loading source
scripts/run-tests.cjsView file
19const { join, relative, sep, resolve } = require('path') L20: const { spawn } = require('child_process') L21:
High
Child Process

Package source references child process execution.

scripts/run-tests.cjsView on unpkg · L19
src/ui/server/routes/exec.jsView file
24// L25: // 之前走 spawn(command.trim(), [], { shell: true }) — `command` 直接来自 L26: // socket payload,任意 shell 都能跑(RCE 类)。改为 argv 模式:
High
Shell

Package source references shell execution.

src/ui/server/routes/exec.jsView on unpkg · L24
src/ui/server/routes/npm.jsView file
172const npmCmd = isWin ? 'npm.cmd' : 'npm' L173: const args = ['install', '-g', 'zen-gitsync', '--registry', 'https://registry.npmjs.org/'] L174: const cmd = isWin ? npmCmd : 'sudo' ... L181: try { L182: child = spawn(cmd, finalArgs, { L183: env: { ...process.env, FORCE_COLOR: '0' }, L184: windowsHide: true,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/ui/server/routes/npm.jsView on unpkg · L172
6// L7: // http://www.apache.org/licenses/LICENSE-2.0 L8: // ... L20: import os from 'os'; L21: import { exec, spawn } from 'child_process'; L22: import https from 'https'; ... L26: const __filename = fileURLToPath(import.meta.url); L27: const __dirname = path.dirname(__filename); L28: ... L64: L65: // 当前安装的版本(从外层 package.json 读取) L66: function getCurrentVersion() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/ui/server/routes/npm.jsView on unpkg · L6
scripts/release.jsView file
7// L8: // http://www.apache.org/licenses/LICENSE-2.0 L9: // ... L27: * npm run release -- --skip-push # 只发布到 npm,不 push git L28: * npm run release -- --dry-run # 只打印计划,不真正改 package.json / commit / publish L29: */ ... L34: import { fileURLToPath } from 'node:url' L35: import { execSync, spawn } from 'node:child_process' L36: import chalk from 'chalk' ... L39: const __filename = fileURLToPath(import.meta.url) L40: const __dirname = path.dirname(__filename) L41: const rootDir = path.resolve(__dirname, '..')
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

scripts/release.jsView on unpkg · L7
25* npm run release # 全流程,自伤护栏全部开启 L26: * npm run release -- --sk[redacted] # 发布后不自动 npm install -g zen-gitsync L27: * npm run release -- --skip-push # 只发布到 npm,不 push git ... L34: import { fileURLToPath } from 'node:url' L35: import { execSync, spawn } from 'node:child_process' L36: import chalk from 'chalk'
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/release.jsView on unpkg · L25
src/ui/public/assets/html.worker-BO6WuOEO.jsView file
29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/ui/public/assets/html.worker-BO6WuOEO.jsView on unpkg · L29
src/ui/public/assets/vendor-DTvkqYXo.jsView file
path = src/ui/public/assets/vendor-DTvkqYXo.js kind = oversized_source_file sizeBytes = 9570094 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

src/ui/public/assets/vendor-DTvkqYXo.jsView on unpkg
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
src/gitCommit.jsView file
matchType = previous_version_dangerous_delta matchedPackage = zen-gitsync@2.15.2 matchedIdentity = npm:emVuLWdpdHN5bmM:2.15.2 similarity = 0.959 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/gitCommit.jsView on unpkg

Findings

4 Critical6 High3 Medium5 Low
CriticalNpm Publish Wormscripts/release.js
CriticalTrojan Source Unicodesrc/ui/public/assets/html.worker-BO6WuOEO.js
CriticalManifest Confusionpackage.json
CriticalPrevious Version Dangerous Deltasrc/gitCommit.js
HighChild Processscripts/run-tests.cjs
HighShellsrc/ui/server/routes/exec.js
HighSame File Env Network Executionsrc/ui/server/routes/npm.js
HighSandbox Evasion Gated Capabilitysrc/ui/server/routes/npm.js
HighRuntime Package Installscripts/release.js
HighOversized Source Filesrc/ui/public/assets/vendor-DTvkqYXo.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings