registry  /  @aastar/sdk  /  0.42.0

@aastar/sdk@0.42.0

⚠ Under review

All-in-one TypeScript SDK for the AAStar Protocol / Mycelium Network — ERC-4337 account abstraction, gasless transactions, SuperPaymaster gas sponsorship, KMS WebAuthn passkeys, BLS aggregate signatures, multi-chain (Optimism + Ethereum) community economi

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 66 file(s), 4.86 MB of source, external domains: 127.0.0.1, aastar.io, airaccount.aastar.io, airaccount.example, api.pimlico.io, discord.gg, dvt1.aastar.io, dvt2.aastar.io, dvt3.aastar.io, faucet-aastar.vercel.app, github.com, kms.aastar.io, mainnet.optimism.io, mycelium-relayer.jhfnetboy.workers.dev, optimistic.etherscan.io, raw.githubusercontent.com, resend.com, rpc.sepolia.org, sepolia-optimism.etherscan.io, sepolia.etherscan.io, sepolia.optimism.io, superpaymaster.aastar.io, twitter.com, www.aastar.io
Oversized source lightweight scan
dist/lib-FE4GR7TO.cjs4.06 MB file, sampled 256 KB
NetworkChildProcessEvalHighEntropyStringsUrlStringsgithub.com
dist/lib-VRTYVDUO.js4.06 MB file, sampled 256 KB
NetworkChildProcessEvalHighEntropyStringsUrlStringsgithub.com

Source & flagged code

3 flagged · loading source
dist/chunk-MUC3OVGJ.jsView file
3import { parseEther, formatEther, isHex } from 'viem'; L4: import { privateKeyToAccount } from 'viem/accounts'; L5: ... L77: roleId: ROLE_PAYMASTER_SUPER, L78: data: "0x", L79: // SuperPaymaster role doesn't need special data ... L712: } L713: const h = await funderWallet.sendTransaction({ L714: account: funderWallet.account, ... L802: for (const name of names) { L803: const val = process.env[name]; L804: if (val && val.trim()) return normalizePrivateKey(val, `env ${name}`);
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/chunk-MUC3OVGJ.jsView on unpkg · L3
dist/chunk-DV6DLX62.cjsView file
79Trigger-reachable chain: manifest.main -> dist/index.cjs -> dist/chunk-DV6DLX62.cjs L79: roleId: ROLE_PAYMASTER_SUPER, L80: data: "0x", L81: // SuperPaymaster role doesn't need special data ... L714: } L715: const h = await funderWallet.sendTransaction({ L716: account: funderWallet.account, ... L788: } L789: var ENV_KEY_FALLBACKS = ["OPERATOR_PRIVATE_KEY", "ETH_PRIVATE_KEY", "PRIVATE_KEY"]; L790: function normalizePrivateKey(raw, origin) { ... L804: for (const name of names) { L805: const val = process.env[name]; L806: if (val && val.trim()) return normalizePrivateKey(val, `env ${name}`);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-DV6DLX62.cjsView on unpkg · L79
dist/lib-FE4GR7TO.cjsView file
path = dist/lib-FE4GR7TO.cjs kind = oversized_source_file sizeBytes = 4259027 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/lib-FE4GR7TO.cjsView on unpkg

Findings

2 Critical1 High3 Medium5 Low
CriticalWallet Draindist/chunk-MUC3OVGJ.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-DV6DLX62.cjs
HighOversized Source Filedist/lib-FE4GR7TO.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings