Multiple ACE vulnerabilities via Function.apply and dynamic plugin loading, coupled with suspicious bitwise math, indicate malicious intent.
No verification record available.
The package exhibits multiple potential vulnerabilities that, when combined, suggest malicious intent. Specifically, the use of Function.apply with potentially user-controlled arguments in package/plugins/flow.js poses a significant risk of arbitrary code execution (Evidences 1 & 2). Furthermore, the dynamic loading of plugins based on user-supplied names in package/internal/experimental-cli.mjs (Evidences 3 & 4) creates another avenue for arbitrary code execution. The YARA rule matches for excessive unsigned bitwise math in package/plugins/flow.js and package/plugins/flow.mjs (Evidences 0 & 5), while individually a low confidence indicator, further support the possibility of obfuscated or malicious code. Given the combination of these factors, the package is classified as malware.
