registry  /  @bigduu/lotus  /  2026.7.7

@bigduu/lotus@2026.7.7

Standalone Lotus frontend assets for Bodhi shell and web runtime.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 79 file(s), 7.77 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, bit.ly, cdnjs.cloudflare.com, chevrotain.io, docs.expo.dev, en.wikipedia.org, fb.me, generativelanguage.googleapis.com, github.com, help.openai.com, jquery.org, jspdf.default.namespaceuri, langium.org, lodash.com, openjsf.org, opensource.org, proxy.example.com, reactjs.org, tinyurl.com, tldrlegal.com, underscorejs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/assets/index-BUO2Zcn6.jsView file
2patternName = private_key_openssh severity = critical line = 2 matchedText = var mn=O... ",`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/assets/index-BUO2Zcn6.jsView on unpkg · L2
2patternName = private_key_openssh severity = critical line = 2 matchedText = var mn=O... ",`
Critical
Secret Pattern

OpenSSH private key in dist/assets/index-BUO2Zcn6.js

dist/assets/index-BUO2Zcn6.jsView on unpkg · L2
dist/assets/vendor-markdown-CARODNj-.jsView file
40`);F.forEach(function(T,C){var x=r&&d.length+i,R={type:"text",value:"".concat(T,` L41: `)};if(C===0){var O=c.slice(g+1,p).concat(Dt({children:[R],className:A.properties.className})),U=S(O,x);d.push(U)}else if(C===F.length-1){var q=c[p+1]&&c[p+1].children&&c[p+1].chil... L42: ?|
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/vendor-markdown-CARODNj-.jsView on unpkg · L40
dist/assets/en-US-BHmVs299.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = const e=...itle
Medium
Secret Pattern

Hardcoded password in dist/assets/en-US-BHmVs299.js

dist/assets/en-US-BHmVs299.jsView on unpkg · L1
dist/assets/main-bnHa9vH1.jsView file
4patternName = generic_password severity = medium line = 4 matchedText = यहां वर्...flux
Medium
Secret Pattern

Hardcoded password in dist/assets/main-bnHa9vH1.js

dist/assets/main-bnHa9vH1.jsView on unpkg · L4

Findings

2 Critical7 Medium7 Low
CriticalCritical Secretdist/assets/index-BUO2Zcn6.js
CriticalSecret Patterndist/assets/index-BUO2Zcn6.js
MediumDynamic Requiredist/assets/vendor-markdown-CARODNj-.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/assets/en-US-BHmVs299.js
MediumSecret Patterndist/assets/main-bnHa9vH1.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings