Azad Coder (GPT 5 & Claude)

`{file_path}` reads host data (env vars, dotfiles, home paths) within {proximity} characters of an outbound POST or PUT. This is the shape of an exfiltration handler.

▶ line 3683: …ion must be a full URL when used.")}),T9(r,()=>Promise.resolve({}))}let n=t.protocol==="https:",s=g4i(t,r.proxy||(n?process.env.https_proxy:void 0)||process.env.http_proxy),o=n?h4i:f4i,c=r.keepAlive===void 0?!1:r.keepAlive,e=s?new cQ(s):new o.Agent({keepAlive:c,maxSockets:30,timeout:2e3}),d=v4i(r,Su(r.httpModule,()=>o),e);return T9(r,d)}a(ryr,"makeNodeTransport");function g4i(r,t){let{no_proxy:n}=process.env;if(!(n&&n.split(",").some(o=>r.host.endsWith(o)||r.hostname.endsWith(o))))return t}a(g4i,"applyNoProxyOption");function v4i(r,t,n){let{hostname:s,pathname:o,port:c,protocol:e,search:d}=new URL(r.url);return a(function(p){return new Promise((f,g)=>{Kne(()=>{let u=m4i(p.body),S={...r.headers};p.body.length>p4i&&(S["content-encoding"]="gzip",u=u.pipe((0,tyr.createGzip)()));let I=t.request…

`{file_path}` issues an HTTP call to `{url}`. Confirm this is a documented integration; outbound calls to arbitrary hosts widen the extension's trust surface.

▶ line 3704: …s.status}): ${s.statusText}`)}return o}catch(n){throw console.error(`Error fetching MCP API (${r}):`,n),n instanceof Error?new Error(`Failed to fetch MCP API (${r}): ${n.message}`):new Error(`Failed to fetch MCP API (${r}): Unknown error`)}}var p_,Kia,Xia,Jia,Zia,p7r,g$e=ye(()=>{"use strict";en();kf();LE();Hee();p_=At(require("vscode"));f7r();pi();p$e();Ic();Kia="https://r2.kodu.ai/mcps.json",Xia="https://glama.ai/api/mcp";a(m$e,"fetchMcpApi");Jia=ke.object({mcpId:ke.string(),name:ke.string(),githubUrl:ke.url(),serverType:ke.enum(["stdio","sse"]).prefault("stdio")}),Zia=Il({getPublicMcps:gr.input(ke.void()).query(async()=>{try{let r=await uj(Kia);if(!r.ok)throw new Error(`Failed to fetch public MCPs: ${r.statusText} (${r.status})`);let t=await r.json(),n=iIt.array().safeParse(t);if(!n.succ…

`{file_path}` enumerates the entire process.env object rather than reading a specific variable. Common precursor to exfiltrating GITHUB_TOKEN, AWS_*, and similar credentials.

▶ line 1: … major version of `debug`.");y.colors=[6,2,3,4,5,1];try{let e=Vr();e&&(e.stderr||e).level>=2&&(y.colors=[20,21,26,27,32,33,38,39,40,41,42,43,44,45,56,57,62,63,68,69,74,75,76,77,78,79,80,81,92,93,98,99,112,113,128,129,134,135,148,149,160,161,162,163,164,165,166,167,168,169,170,171,172,173,178,179,184,185,196,197,198,199,200,201,202,203,204,205,206,207,208,209,214,215,220,221])}catch{}y.inspectOpts=Object.keys(process.env).filter(e=>/^debug_/i.test(e)).reduce((e,r)=>{let t=r.substring(6).toLowerCase().replace(/_([a-z])/g,(i,s)=>s.toUpperCase()),n=process.env[r];return/^(yes|on|true|enabled)$/i.test(n)?n=!0:/^(no|off|false|disabled)$/i.test(n)?n=!1:n==="null"?n=null:n=Number(n),e[t]=n,e},{});function nn(){return"colors"in y.inspectOpts?!!y.inspectOpts.colors:tn.isatty(process.stderr.fd)}funct…

`{file_path}` enumerates the entire process.env object rather than reading a specific variable. Common precursor to exfiltrating GITHUB_TOKEN, AWS_*, and similar credentials.

    if (message.method === "__init__") {
      const { processParams, runnerParams, runnerScript } = message.params;
      void (0, import_utils.startProfiling)();
      (0, import_utils.setTimeOrigin)(processParams.timeOrigin);
      const { create } = require(runnerScript);
      processRunner = create(runnerParams);
      processName = processParams.processName;
      return;
    }
    if (message.method === "__stop__") {
▶     const keys = /* @__PURE__ */ new Set([...Object.keys(process.env), ...Object.keys(startingEnv)]);
      const producedEnv = [...keys].filter((key) => startingEnv[key] !== process.env[key]).map((key) => [key, process.env[key] ?? null]);
      sendMessageToParent({ method: "__env_produced__", params: producedEnv });
      await gracefullyCloseAndExit(false);
      return;
    }
    if (message.method === "__dispatch__") {
      const { id, method, params } = message.params;
      try {
        const result = await processRunner[method](params);
        const response = { id, result };

`{file_path}` issues an HTTP call to `{url}`. Confirm this is a documented integration; outbound calls to arbitrary hosts widen the extension's trust surface.

▶ line 1875: …ngerprint,i=e.fingerprint;if(!t&&!i)return!0;if(t&&!i||!t&&i)return!1;t=t,i=i;try{return t.join("")===i.join("")}catch{return!1}}function O1e(n){return n.exception?.values?.[0]}function pMe(n){if(n!==void 0)return n>=400&&n<500?"warning":n>=500?"error":void 0}const $E=Ss;function kUt(){return"history"in $E&&!!$E.history}function LUt(){if(!("fetch"in $E))return!1;try{return new Headers,new Request("http://www.example.com"),new Response,!0}catch{return!1}}function dG(n){return n&&/^function\s+\w+\(\)\s+\{\s+\[native code\]\s+\}$/.test(n.toString())}function EUt(){if(typeof EdgeRuntime=="string")return!0;if(!LUt())return!1;if(dG($E.fetch))return!0;let n=!1;const e=$E.document;if(e&&typeof e.createElement=="function")try{const t=e.createElement("iframe");t.hidden=!0,e.head.appendChild(t),t.con…

`{file_path}` enumerates the entire process.env object rather than reading a specific variable. Common precursor to exfiltrating GITHUB_TOKEN, AWS_*, and similar credentials.

▶ line 33: …jor version of `debug`.");lr.colors=[6,2,3,4,5,1];try{let e=Sv();e&&(e.stderr||e).level>=2&&(lr.colors=[20,21,26,27,32,33,38,39,40,41,42,43,44,45,56,57,62,63,68,69,74,75,76,77,78,79,80,81,92,93,98,99,112,113,128,129,134,135,148,149,160,161,162,163,164,165,166,167,168,169,170,171,172,173,178,179,184,185,196,197,198,199,200,201,202,203,204,205,206,207,208,209,214,215,220,221])}catch{}lr.inspectOpts=Object.keys(process.env).filter(e=>/^debug_/i.test(e)).reduce((e,t)=>{let r=t.substring(6).toLowerCase().replace(/_([a-z])/g,(s,i)=>i.toUpperCase()),n=process.env[t];return/^(yes|on|true|enabled)$/i.test(n)?n=!0:/^(no|off|false|disabled)$/i.test(n)?n=!1:n==="null"?n=null:n=Number(n),e[r]=n,e},{});function iJ(){return"colors"in lr.inspectOpts?!!lr.inspectOpts.colors:sJ.isatty(process.stderr.fd)}fun…

`{file_path}` issues an HTTP call to `{url}`. Confirm this is a documented integration; outbound calls to arbitrary hosts widen the extension's trust surface.

▶ line 3704: …{throw new Error(`MCP API Error (${s.status}): ${s.statusText}`)}return o}catch(n){throw console.error(`Error fetching MCP API (${r}):`,n),n instanceof Error?new Error(`Failed to fetch MCP API (${r}): ${n.message}`):new Error(`Failed to fetch MCP API (${r}): Unknown error`)}}var p_,Kia,Xia,Jia,Zia,p7r,g$e=ye(()=>{"use strict";en();kf();LE();Hee();p_=At(require("vscode"));f7r();pi();p$e();Ic();Kia="https://r2.kodu.ai/mcps.json",Xia="https://glama.ai/api/mcp";a(m$e,"fetchMcpApi");Jia=ke.object({mcpId:ke.string(),name:ke.string(),githubUrl:ke.url(),serverType:ke.enum(["stdio","sse"]).prefault("stdio")}),Zia=Il({getPublicMcps:gr.input(ke.void()).query(async()=>{try{let r=await uj(Kia);if(!r.ok)throw new Error(`Failed to fetch public MCPs: ${r.statusText} (${r.status})`);let t=await r.json(),n=…

`{file_path}` enumerates the entire process.env object rather than reading a specific variable. Common precursor to exfiltrating GITHUB_TOKEN, AWS_*, and similar credentials.

▶ line 2: …jor version of `debug`.");Xe.colors=[6,2,3,4,5,1];try{let i=hh();i&&(i.stderr||i).level>=2&&(Xe.colors=[20,21,26,27,32,33,38,39,40,41,42,43,44,45,56,57,62,63,68,69,74,75,76,77,78,79,80,81,92,93,98,99,112,113,128,129,134,135,148,149,160,161,162,163,164,165,166,167,168,169,170,171,172,173,178,179,184,185,196,197,198,199,200,201,202,203,204,205,206,207,208,209,214,215,220,221])}catch{}Xe.inspectOpts=Object.keys(process.env).filter(i=>/^debug_/i.test(i)).reduce((i,e)=>{let t=e.substring(6).toLowerCase().replace(/_([a-z])/g,(n,s)=>s.toUpperCase()),r=process.env[e];return/^(yes|on|true|enabled)$/i.test(r)?r=!0:/^(no|off|false|disabled)$/i.test(r)?r=!1:r==="null"?r=null:r=Number(r),i[t]=r,i},{});function E_(){return"colors"in Xe.inspectOpts?!!Xe.inspectOpts.colors:S_.isatty(process.stderr.fd)}fun…

`{file_path}` enumerates the entire process.env object rather than reading a specific variable. Common precursor to exfiltrating GITHUB_TOKEN, AWS_*, and similar credentials.

            208,
            209,
            214,
            215,
            220,
            221
          ];
        }
      } catch (error) {
      }
▶     exports2.inspectOpts = Object.keys(process.env).filter((key) => {
        return /^debug_/i.test(key);
      }).reduce((obj, key) => {
        const prop = key.substring(6).toLowerCase().replace(/_([a-z])/g, (_, k) => {
          return k.toUpperCase();
        });
        let val = process.env[key];
        if (/^(yes|on|true|enabled)$/i.test(val)) {
          val = true;
        } else if (/^(no|off|false|disabled)$/i.test(val)) {
          val = false;

`{file_path}` enumerates the entire process.env object rather than reading a specific variable. Common precursor to exfiltrating GITHUB_TOKEN, AWS_*, and similar credentials.

▶ line 417: …or version of `debug`.");Mo.colors=[6,2,3,4,5,1];try{let r=Iht();r&&(r.stderr||r).level>=2&&(Mo.colors=[20,21,26,27,32,33,38,39,40,41,42,43,44,45,56,57,62,63,68,69,74,75,76,77,78,79,80,81,92,93,98,99,112,113,128,129,134,135,148,149,160,161,162,163,164,165,166,167,168,169,170,171,172,173,178,179,184,185,196,197,198,199,200,201,202,203,204,205,206,207,208,209,214,215,220,221])}catch{}Mo.inspectOpts=Object.keys(process.env).filter(r=>/^debug_/i.test(r)).reduce((r,t)=>{let n=t.substring(6).toLowerCase().replace(/_([a-z])/g,(o,u)=>u.toUpperCase()),s=process.env[t];return/^(yes|on|true|enabled)$/i.test(s)?s=!0:/^(no|off|false|disabled)$/i.test(s)?s=!1:s==="null"?s=null:s=Number(s),r[n]=s,r},{});function ECr(){return"colors"in Mo.inspectOpts?!!Mo.inspectOpts.colors:_Cr.isatty(process.stderr.fd)}a…

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/darwin-x64+arm64/node.napi.node  (647,376 bytes)

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

▶ line 13: …f(this._scriptPath){let h;try{h=ys.realpathSync(this._scriptPath)}catch{h=this._scriptPath}a=te.resolve(te.dirname(h),a)}if(a){let h=n(a,o);if(!h&&!e._executableFile&&this._scriptPath){let f=te.basename(this._scriptPath,te.extname(this._scriptPath));f!==this._name&&(h=n(a,`${f}-${e._name}`))}o=h||o}i=s.includes(te.extname(o));let l;v.platform!=="win32"?i?(t.unshift(o),t=Qr(v.execArgv).concat(t),l=gs.spawn(v.argv[0],t,{stdio:"inherit"})):l=gs.spawn(o,t,{stdio:"inherit"}):(t.unshift(o),t=Qr(v.execArgv).concat(t),l=gs.spawn(v.execPath,t,{stdio:"inherit"})),l.killed||["SIGUSR1","SIGUSR2","SIGTERM","SIGINT","SIGHUP"].forEach(f=>{v.on(f,()=>{l.killed===!1&&l.exitCode===null&&l.kill(f)})});let u=this._exitCallback;u?l.on("close",()=>{u(new _s(v.exitCode||0,"commander.executeSubCommandAsync","(clo…

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/linux-arm/node.napi.armv7.node  (396,784 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/linux-arm/node.napi.armv6.node  (396,772 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/darwin-x64+arm64/node.napi.node  (647,376 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/linux-arm-musleabihf/index.node  (8,486,596 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/linux-arm-gnueabihf/index.node  (8,240,852 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/darwin-x64/index.node  (8,710,768 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/linux-arm64-musl/index.node  (8,703,704 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/win32-ia32/node.napi.node  (455,168 bytes)

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

▶ line 18: …,l.push(t.join(","))),i.target=Buffer.from(l.join(" "),"utf16le").toString("base64")}else{if(e)r=e;else{let a=!__dirname||__dirname==="/",l=!1;try{await rl.access(Hp,Kp.X_OK),l=!0}catch{}r=process.versions.electron||Er==="android"||a||!l?"xdg-open":Hp}t.length>0&&n.push(...t),i.wait||(s.stdio="ignore",s.detached=!0)}i.target&&n.push(i.target),Er==="darwin"&&t.length>0&&n.push("--args",...t);let o=C1.spawn(r,n,s);return i.wait?new Promise((a,l)=>{o.once("error",l),o.once("close",c=>{if(i.allowNonzeroExitCode&&c>0){l(new Error(`Exited with code ${c}`));return}a(o)})}):(o.unref(),o)},sl=(i,e)=>{if(typeof i!="string")throw new TypeError("Expected a `target`");return Ms({...e,target:i})},I1=(i,e)=>{if(typeof i!="string")throw new TypeError("Expected a `name`");let{arguments:t=[]}=e||{};if(t!=nu…

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/linux-x64/node.napi.musl.node  (464,816 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/linux-x64/node.napi.glibc.node  (505,424 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/linux-arm64/node.napi.armv8.node  (427,536 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-win32-x64/conpty_console_list.node  (133,120 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-win32-x64/conpty.node  (302,080 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-linux-arm64/pty.node  (69,064 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/darwin-arm64/index.node  (7,787,984 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/linux-arm64/node.napi.armv8.node  (427,536 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/win32-x64/node.napi.node  (527,872 bytes)

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

                      // Ignore if process cannot be found (kill ESRCH error)
                  }
              });
              _this._ptyNative.kill(_this._pty);
          });
          this._conoutSocketWorker.dispose();
      };
      WindowsPtyAgent.prototype._getConsoleProcessList = function () {
          var _this = this;
          return new Promise(function (resolve) {
▶             var agent = child_process_1.fork(path.join(__dirname, 'conpty_console_list_agent'), [_this._innerPid.toString()]);
              agent.on('message', function (message) {
                  clearTimeout(timeout);
                  resolve(message.consoleProcessList);
              });
              var timeout = setTimeout(function () {
                  // Something went wrong, just send back the shell PID
                  agent.kill();
                  resolve([_this._innerPid]);
              }, 5000);
          });

▶ line 1: …,e),this.crc32=0}Ze.prototype._transform=function(e,r,t){this.crc32=lr.unsigned(e,this.crc32),t(null,e)};var qe="\0\u263A\u263B\u2665\u2666\u2663\u2660\u2022\u25D8\u25CB\u25D9\u2642\u2640\u266A\u266B\u263C\u25BA\u25C4\u2195\u203C\xB6\xA7\u25AC\u21A8\u2191\u2193\u2192\u2190\u221F\u2194\u25B2\u25BC !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\u2302\xC7\xFC\xE9\xE2\xE4\xE0\xE5\xE7\xEA\xEB\xE8\xEF\xEE\xEC\xC4\xC5\xC9\xE6\xC6\xF4\xF6\xF2\xFB\xF9\xFF\xD6\xDC\xA2\xA3\xA5\u20A7\u0192\xE1\xED\xF3\xFA\xF1\xD1\xAA\xBA\xBF\u2310\xAC\xBD\xBC\xA1\xAB\xBB\u2591\u2592\u2593\u2502\u2524\u2561\u2562\u2556\u2555\u2563\u2551\u2557\u255D\u255C\u255B\u2510\u2514\u2534\u252C\u251C\u2500\u253C\u255E\u255F\u255A\u2554\u2569\u2566\u2560\u2550\u256C\u2567\u2568\u25…

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/linux-arm/node.napi.armv6.node  (396,772 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/android-arm64/node.napi.armv8.node  (363,760 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/android-arm/node.napi.armv7.node  (327,600 bytes)

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

  #!/usr/bin/env node
  const path = require('path');
  const { spawn } = require('child_process');
  
  const daemonPath = path.join(__dirname, 'cli.js');
  const args = process.argv.slice(2);
  const BUILD_TIME = "2025-11-13T23:18:11.937Z";
  
▶ const child = spawn(process.execPath, [daemonPath, ...args], {
    stdio: 'inherit',
    detached: false,
    cwd: __dirname,
    env: { ...process.env, ENVBUSD_BUILD_TIME: BUILD_TIME }
  });
  
  child.on('error', (err) => {
    console.error('Failed to start envbusd:', err);
    process.exit(1);
  });

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/linux-x64-musl/index.node  (9,874,752 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/win32-x64-msvc/index.node  (8,578,048 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/linux-x64-gnu/index.node  (9,678,648 bytes)

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

▶ line 1: …t.call(a,"error",n)}return t.apply(a,arguments)}}function lu(a,e){return ei&&a===1&&!e.file?ri(e.original,"spawn"):null}function av(a,e){return ei&&a===1&&!e.file?ri(e.original,"spawnSync"):null}cu.exports={hookChildProcess:tv,verifyENOENT:lu,verifyENOENTSync:av,notFoundError:ri}});var fu=z((Wy,Ht)=>{"use strict";var du=require("child_process"),ti=ou(),ai=uu();function hu(a,e,t){let s=ti(a,e,t),r=du.spawn(s.command,s.args,s.options);return ai.hookChildProcess(r,s),r}function sv(a,e,t){let s=ti(a,e,t),r=du.spawnSync(s.command,s.args,s.options);return r.error=r.error||ai.verifyENOENTSync(r.status,s),r}Ht.exports=hu;Ht.exports.spawn=hu;Ht.exports.sync=sv;Ht.exports._parse=ti;Ht.exports._enoent=ai});var _v={};xi(_v,{CallToolRequestSchema:()=>Gs,Client:()=>us,ListRootsRequestSchema:()=>rn,ListT…

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-linux-x64/pty.node  (72,664 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-win32-arm64/conpty_console_list.node  (121,344 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-win32-arm64/conpty.node  (296,960 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-darwin-x64/pty.node  (68,904 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@lydell/node-pty-darwin-arm64/pty.node  (85,160 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/node_modules/@libsql/linux-arm64-gnu/index.node  (8,355,952 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/win32-ia32/node.napi.node  (455,168 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/linux-x64/node.napi.musl.node  (464,816 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/linux-x64/node.napi.glibc.node  (505,424 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/envbusd/prebuilds/linux-arm/node.napi.armv7.node  (396,784 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/win32-x64/node.napi.node  (527,872 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/android-arm64/node.napi.armv8.node  (363,760 bytes)

`{file_path}` is a compiled Node addon ({size_bytes:,} bytes). Native addons run outside the V8 sandbox with arbitrary OS API access and need manual review.

dist/prebuilds/android-arm/node.napi.armv7.node  (327,600 bytes)

▶ line 438: …ref(),r()};gz.prototype.unref=function(r){this.unreffedYet||(this.unreffedYet=!0,this.context.unref())};var yRr="\0\u263A\u263B\u2665\u2666\u2663\u2660\u2022\u25D8\u25CB\u25D9\u2642\u2640\u266A\u266B\u263C\u25BA\u25C4\u2195\u203C\xB6\xA7\u25AC\u21A8\u2191\u2193\u2192\u2190\u221F\u2194\u25B2\u25BC !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\u2302\xC7\xFC\xE9\xE2\xE4\xE0\xE5\xE7\xEA\xEB\xE8\xEF\xEE\xEC\xC4\xC5\xC9\xE6\xC6\xF4\xF6\xF2\xFB\xF9\xFF\xD6\xDC\xA2\xA3\xA5\u20A7\u0192\xE1\xED\xF3\xFA\xF1\xD1\xAA\xBA\xBF\u2310\xAC\xBD\xBC\xA1\xAB\xBB\u2591\u2592\u2593\u2502\u2524\u2561\u2562\u2556\u2555\u2563\u2551\u2557\u255D\u255C\u255B\u2510\u2514\u2534\u252C\u251C\u2500\u253C\u255E\u255F\u255A\u2554\u2569\u2566\u2560\u2550\u256C\u2567\u2568\u25…

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

▶ line 32: …Promise((t,n)=>{I4e.readFile(r,"utf-8",(s,o)=>{s?n(s):t(o)})}),"readFile");T4e.exports={LDD_PATH:W8t,readFileSync:z8t,readFile:j8t}});var Y4e=Qe((pKr,V4e)=>{"use strict";var B4e=require("child_process"),{isLinux:EC,getReport:P4e}=k4e(),{LDD_PATH:d9,readFile:O4e,readFileSync:M4e}=D4e(),W0,z0,L4e="getconf GNU_LIBC_VERSION 2>&1 || true; ldd --version 2>&1 || true",lx="",N4e=a(()=>lx||new Promise(r=>{B4e.exec(L4e,(t,n)=>{lx=t?" ":n,r(lx)})}),"safeCommand"),U4e=a(()=>{if(!lx)try{lx=B4e.execSync(L4e,{encoding:"utf8"})}catch{lx=" "}return lx},"safeCommandSync"),Em="glibc",q4e=/GLIBC\s(\d+\.\d+)/,B1="musl",G8t=Em.toUpperCase(),H8t=B1.toLowerCase(),$8t=a(r=>r.includes("libc.musl-")||r.includes("ld-musl-"),"isFileMusl"),Q4e=a(()=>{let r=P4e();return r.header&&r.header.glibcVersionRuntime?Em:Array.is…

`{file_path}` references `{vendor}`. Telemetry isn't malicious on its own; flagged so reviewers know what data leaves the user's machine.

▶ line 3683: …Y_USE_ENVIRONMENT)!==!1){let r=process.env.SENTRY_TRACE,t=process.env.SENTRY_BAGGAGE,n=m9(r,t);da().setPropagationContext(n)}}a(k4i,"updateScopeFromEnvVariables");function P4i(){let r=bn();r&&r.getOptions().autoSessionTracking&&r.initSessionFlusher(),rie(),process.on("beforeExit",()=>{let t=ji().getSession();t&&t.status!=="ok"&&C9()})}a(P4i,"startSessionTracking");var Ayr=!1;function yyr(){return"https://76dd63a7860bf42c2475a8fbc58643b3@o4510379421794304.ingest.us.sentry.io/4510379423432704"}a(yyr,"getDsn");function B4i(){if(Ayr)return;let r=yyr();r&&(SLe({dsn:r,environment:process.env.NODE_ENV||"production",release:process.env.PACKAGE_VERSION,tracesSampleRate:0,sendDefaultPii:process.env.ENVBUSD_SENTRY_SEND_DEFAULT_PII==="true"}),Ayr=!0)}a(B4i,"initSentry");function byr(r,t){yyr()&&(B4i()…

`{file_path}` references `{vendor}`. Telemetry isn't malicious on its own; flagged so reviewers know what data leaves the user's machine.

▶ line 1875: …Ut(),t={...e.headers,...n.request?.headers};n.request={...e,...n.request,headers:t}}}),eGt="cause",tGt=5,nGt="LinkedErrors",iGt=((n={})=>{const e=n.limit||tGt,t=n.key||eGt;return{name:nGt,preprocessEvent(i,s,r){const o=r.getOptions();mUt(Gee,o.stackParser,t,e,i,s)}}}),sGt=iGt;function rGt(){return oGt()?(LP&&xC(()=>{console.error("[Sentry] You cannot use Sentry.init() in a browser extension, see: https://docs.sentry.io/platforms/javascript/best-practices/browser-extensions/")}),!0):!1}function oGt(){if(typeof Ur.window>"u")return!1;const n=Ur;if(n.nw||!(n.chrome||n.browser)?.runtime?.id)return!1;const t=zee(),i=["chrome-extension","moz-extension","ms-browser-extension","safari-web-extension"];return!(Ur===Ur.top&&i.some(r=>t.startsWith(`${r}://`)))}function aGt(n){return[aUt(),iUt(),jqt(),…