registry  /  @bentlyr/midown  /  1.0.2

@bentlyr/midown@1.0.2

Architecture and Plannign App for developers

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 107 file(s), 4.81 MB of source, external domains: api.openai.com, chevrotain.io, en.wikipedia.org, feross.org, generativelanguage.googleapis.com, github.com, hmljmijzfkiivjxzqgri.supabase.co, jquery.org, langium.org, lodash.com, midown.app, openjsf.org, openrouter.ai, react.dev, reactflow.dev, tldrlegal.com, underscorejs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/renderer/main_window/assets/index-DTrCNVev.jsView file
882patternName = supabase_service_key severity = critical line = 882 matchedText = `);const... z};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/renderer/main_window/assets/index-DTrCNVev.jsView on unpkg · L882
882patternName = supabase_service_key severity = critical line = 882 matchedText = `);const... z};
Critical
Secret Pattern

Supabase service role key (JWT) in dist/renderer/main_window/assets/index-DTrCNVev.js

dist/renderer/main_window/assets/index-DTrCNVev.jsView on unpkg · L882
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dagre-VKFMJZFB-B1LyzOLO.js","assets/chunk-RYQCIY6F-CPlxch74.js","assets/graph-CuXa0ocy.js","assets/map-ISgak3ML.js"... L2: var ui=Object.defineProperty;var hi=(ne,xe,rt)=>xe in ne?ui(ne,xe,{enumerable:!0,configurable:!0,writable:!0,value:rt}):ne[xe]=rt;var Lr=(ne,xe,rt)=>hi(ne,typeof xe!="symbol"?xe+""... L3: * @license React ... L9: * LICENSE file in the root directory of this source tree. L10: */var REACT_ELEMENT_TYPE$2=Symbol.for("react.transitional.element"),REACT_FRAGMENT_TYPE$2=Symbol.for("react.fragment");function jsxProd(ne,xe,rt){var it=null;if(rt!==void 0&&(it=""... L11: * @license React ... L32: Error generating stack: `+it.message+` L33: `+it.stack}}var hasOwnProperty$2=Object.prototype.hasOwnProperty,scheduleCallback$3=Scheduler.unstable_scheduleCallback,cancelCallback$1=Scheduler.unstable_cancelCallback,shouldYie... L34: `).replace(NORMALIZE_NULL_AND_REPLACEMENT_REGEX,"")}function checkForUnmatchedText(ne,xe){return xe=[redacted](xe),[redacted](ne)===xe... ... L327: 2. ALL edges/connections MUST be declared separately afterwards. L328: 3. INLINE DECLARATI
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/renderer/main_window/assets/index-DTrCNVev.jsView on unpkg · L1
373`+Nr),kr&&(Nr=tn(Nr)),wt&&Rt?Wt(Nr):Nr},xe.setConfig=function(){let fr=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{};En(fr),nr=!0,cr=or,yr=pr},xe.clearConfig=function()... L374: `);for(const[rt,{detector:it}]of Object.entries(detectors))if(it(ne,xe))return rt;throw new UnknownDiagramError(`No diagram type detected matching given configuration for text: ${n... L375: `)}__name(cssStyleSheetToString,"cssStyleSheetToString");var getStyles=__name((ne,xe,rt,it)=>{let lt="";return ne in themes&&themes[ne]?lt=themes[ne]({...rt,svgId:it}):log.warn(`No...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/renderer/main_window/assets/index-DTrCNVev.jsView on unpkg · L373
813`+rt)),it};var mark=Mark$1,YAMLException$3=exception,TYPE_CONSTRUCTOR_OPTIONS=["kind","resolve","construct","instanceOf","predicate","represent","defaultStyle","styleAliases"],YAML... L814: \r`;function resolveYamlBinary(ne){if(ne===null)return!1;var xe,rt,it=0,lt=ne.length,ct=BASE64_MAP;for(rt=0;rt<lt;rt++)if(xe=ct.indexOf(ne.charAt(rt)),!(xe>64)){if(xe<0)return!1;it... L815: `:ne===118?"\v":ne===102?"\f":ne===114?"\r":ne===101?"\x1B":ne===32?" ":ne===34?'"':ne===47?"/":ne===92?"\\":ne===78?"…":ne===95?" ":ne===76?"\u2028":ne===80?"\u2029":""}function c...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/renderer/main_window/assets/index-DTrCNVev.jsView on unpkg · L813

Findings

2 Critical1 High5 Medium7 Low
CriticalCritical Secretdist/renderer/main_window/assets/index-DTrCNVev.js
CriticalSecret Patterndist/renderer/main_window/assets/index-DTrCNVev.js
HighObfuscated Payload Loaderdist/renderer/main_window/assets/index-DTrCNVev.js
MediumDynamic Requiredist/renderer/main_window/assets/index-DTrCNVev.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/renderer/main_window/assets/index-DTrCNVev.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings