registry  /  @bigduu/lotus  /  2026.7.11

@bigduu/lotus@2026.7.11

Standalone Lotus frontend assets for Bodhi shell and web runtime.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 62 file(s), 7.77 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, bit.ly, cdnjs.cloudflare.com, chevrotain.io, docs.expo.dev, en.wikipedia.org, fb.me, generativelanguage.googleapis.com, github.com, help.openai.com, jquery.org, jspdf.default.namespaceuri, langium.org, lodash.com, openjsf.org, opensource.org, proxy.example.com, reactjs.org, tinyurl.com, tldrlegal.com, underscorejs.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/assets/SystemSettingsPage-DIiaAU90.jsView file
2patternName = private_key_openssh severity = critical line = 2 matchedText = var ya=O... ",`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/assets/SystemSettingsPage-DIiaAU90.jsView on unpkg · L2
2patternName = private_key_openssh severity = critical line = 2 matchedText = var ya=O... ",`
Critical
Secret Pattern

OpenSSH private key in dist/assets/SystemSettingsPage-DIiaAU90.js

dist/assets/SystemSettingsPage-DIiaAU90.jsView on unpkg · L2
dist/assets/vendor-markdown-Bz_2-zkk.jsView file
40`);F.forEach(function(T,C){var x=r&&d.length+i,R={type:"text",value:"".concat(T,` L41: `)};if(C===0){var O=c.slice(g+1,p).concat(Dt({children:[R],className:A.properties.className})),U=S(O,x);d.push(U)}else if(C===F.length-1){var q=c[p+1]&&c[p+1].children&&c[p+1].chil... L42: ?|
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/vendor-markdown-Bz_2-zkk.jsView on unpkg · L40
dist/assets/diagram-OG6HWLK6-D5LmpUCq.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @bigduu/lotus@2026.7.7 matchedIdentity = npm:QGJpZ2R1dS9sb3R1cw:2026.7.7 similarity = 0.557 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/assets/diagram-OG6HWLK6-D5LmpUCq.jsView on unpkg
dist/assets/main-BUi2UcLi.jsView file
4patternName = generic_password severity = medium line = 4 matchedText = यहां वर्...flux
Medium
Secret Pattern

Hardcoded password in dist/assets/main-BUi2UcLi.js

dist/assets/main-BUi2UcLi.jsView on unpkg · L4
8patternName = generic_password severity = medium line = 8 matchedText = 在這裡描述工作流...itle
Medium
Secret Pattern

Hardcoded password in dist/assets/main-BUi2UcLi.js

dist/assets/main-BUi2UcLi.jsView on unpkg · L8

Findings

2 Critical1 High7 Medium7 Low
CriticalCritical Secretdist/assets/SystemSettingsPage-DIiaAU90.js
CriticalSecret Patterndist/assets/SystemSettingsPage-DIiaAU90.js
HighPrevious Version Dangerous Deltadist/assets/diagram-OG6HWLK6-D5LmpUCq.js
MediumDynamic Requiredist/assets/vendor-markdown-Bz_2-zkk.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/assets/main-BUi2UcLi.js
MediumSecret Patterndist/assets/main-BUi2UcLi.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings