Static Scan Results
scanned 5d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/auth-D9uj0nNr.jsView file
14import { homedir } from "node:os";
L15: import { createServer } from "node:http";
L16: import { getModel, getModels } from "@earendil-works/pi-ai";
...
L18: //#region src/chat/oauth-page/server.ts
L19: const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
L20: function buildRequestHandler(opts, pending) {
...
L43: res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
L44: res.end(opts.renderPage({
L45: kind: "success",
...
L121: //#region src/chat/oauth-page/anthropic.ts
L122: const CLIENT_ID$1 = atob("[redacted]");
L123: const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/auth-D9uj0nNr.jsView on unpkg · L1414Trigger-reachable chain: manifest.exports -> dist/chat.js -> dist/auth-D9uj0nNr.js
L14: import { homedir } from "node:os";
L15: import { createServer } from "node:http";
L16: import { getModel, getModels } from "@earendil-works/pi-ai";
...
L18: //#region src/chat/oauth-page/server.ts
L19: const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
L20: function buildRequestHandler(opts, pending) {
...
L43: res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
L44: res.end(opts.renderPage({
L45: kind: "success",
...
L121: //#region src/chat/oauth-page/anthropic.ts
L122: const CLIENT_ID$1 = atob("[redacted]");
L123: const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/auth-D9uj0nNr.jsView on unpkg · L14Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/auth-D9uj0nNr.js
CriticalTrigger Reachable Dangerous Capabilitydist/auth-D9uj0nNr.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings