registry  /  @blamejs/blamejs-shop  /  0.5.12

@blamejs/blamejs-shop@0.5.12

⚠ Under review

Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 50 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 893 file(s), 24.4 MB of source, external domains: accounts.google.com, api-m.paypal.com, api-m.sandbox.paypal.com, api.cloudflare.com, api.github.com, api.hcaptcha.com, api.pwnedpasswords.com, api.resend.com, api.stripe.com, app.example.com, appleid.apple.com, attacker.example, attacker.tld, auspost.com.au, b.stripecdn.com, bimigroup.org, blamejs.com, blamejs.shop, c2pa.org, cdn.example.com, challenges.cloudflare.com, cloudflare-dns.com, cyclonedx.org, datatracker.ietf.org, dns.google, dns.quad9.net, docs.example.com, example.com, example.invalid, financialdataexchange.org, github.com, hcaptcha.com, hooks.stripe.com, js.hcaptcha.com, js.stripe.com, json-schema.org, login.microsoftonline.com, mds.fidoalliance.org, mds3.fidoalliance.org, npmjs.com, nvd.nist.gov, oauth2.googleapis.com, pay.google.com, placeholder.invalid, publicsuffix.org, registry.npmjs.org, s3.amazonaws.com, schema.org, schemas.dmtf.org, schemas.microsoft.com

Source & flagged code

40 flagged · loading source
lib/push-notifications.jsView file
29patternName = private_key_rsa severity = critical line = 29 matchedText = * .....",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/push-notifications.jsView on unpkg · L29
29patternName = private_key_rsa severity = critical line = 29 matchedText = * .....",
Critical
Secret Pattern

RSA private key in lib/push-notifications.js

lib/push-notifications.jsView on unpkg · L29
lib/subscriptions.jsView file
33L34: var b = require("./vendor/blamejs"); L35:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/subscriptions.jsView on unpkg · L33
lib/vendor/blamejs/lib/ws-client.jsView file
4/** L5: * b.wsClient — outbound WebSocket client (RFC 6455). L6: * ... L20: * L21: * client.on("open", function () { client.send({ subscribe: ["orders"] }); }); L22: * client.on("message", function (data, isBinary) { ... }); ... L26: * client.send("text frame"); L27: * client.send(Buffer.from("binary frame")); L28: * client.close(1000, "bye"); ... L201: L202: // Operators with a non-RFC-6455 GUID (private protocols on top of L203: // the WebSocket framing layer, framework-specific handshake variants)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/vendor/blamejs/lib/ws-client.jsView on unpkg · L4
lib/vendor/blamejs/lib/middleware/body-parser.jsView file
601contains invisible/control Unicode U+202E (right-to-left override) // `Photo01By<U+202E>gpj.SCR` displays as `Photo01By.jpg` in audit
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

lib/vendor/blamejs/lib/middleware/body-parser.jsView on unpkg · L601
lib/vendor/blamejs/lib/guard-filename.jsView file
Trigger-reachable chain: manifest.main -> lib/index.js -> lib/vendor/blamejs/index.js -> lib/vendor/blamejs/lib/guard-filename.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

lib/vendor/blamejs/lib/guard-filename.jsView on unpkg
lib/vendor/blamejs/docker/init/generate-certs.shView file
path = [redacted]-certs.sh kind = build_helper sizeBytes = 4418 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/vendor/blamejs/docker/init/generate-certs.shView on unpkg
lib/vendor/blamejs/.clusterfuzzlite/build.shView file
path = lib/vendor/blamejs/.clusterfuzzlite/build.sh kind = payload_in_excluded_dir sizeBytes = 1244 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

lib/vendor/blamejs/.clusterfuzzlite/build.shView on unpkg
lib/vendor/blamejs/test/40-consumers.jsView file
496patternName = aws_access_key severity = critical line = 496 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/40-consumers.js

lib/vendor/blamejs/test/40-consumers.jsView on unpkg · L496
501patternName = aws_access_key severity = critical line = 501 matchedText = /^AWS4-H...]));
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/40-consumers.js

lib/vendor/blamejs/test/40-consumers.jsView on unpkg · L501
516patternName = aws_access_key severity = critical line = 516 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/40-consumers.js

lib/vendor/blamejs/test/40-consumers.jsView on unpkg · L516
598patternName = aws_access_key severity = critical line = 598 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/40-consumers.js

lib/vendor/blamejs/test/40-consumers.jsView on unpkg · L598
1233patternName = generic_password severity = medium line = 1233 matchedText = b.logStr... });
Medium
Secret Pattern

Hardcoded password in lib/vendor/blamejs/test/40-consumers.js

lib/vendor/blamejs/test/40-consumers.jsView on unpkg · L1233
lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.jsView file
52patternName = private_key_rsa severity = critical line = 52 matchedText = var pem ...\n";
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js

lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.jsView on unpkg · L52
lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.jsView file
60patternName = private_key_rsa severity = critical line = 60 matchedText = var keyP...n" +
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js

lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.jsView on unpkg · L60
lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.jsView file
35patternName = aws_access_key severity = critical line = 35 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js

lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.jsView on unpkg · L35
81patternName = aws_access_key severity = critical line = 81 matchedText = check("X... 0);
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js

lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.jsView on unpkg · L81
522patternName = aws_access_key severity = critical line = 522 matchedText = check("s... 0);
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js

lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.jsView on unpkg · L522
lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.jsView file
87patternName = private_key_rsa severity = critical line = 87 matchedText = var leaf...\n";
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js

lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.jsView on unpkg · L87
lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.jsView file
77patternName = private_key_rsa severity = critical line = 77 matchedText = var keyP...n" +
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.js

lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.jsView on unpkg · L77
lib/vendor/blamejs/test/layer-0-primitives/cert.test.jsView file
105patternName = private_key_rsa severity = critical line = 105 matchedText = var keyP...\n";
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/cert.test.js

lib/vendor/blamejs/test/layer-0-primitives/cert.test.jsView on unpkg · L105
lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.jsView file
98patternName = private_key_rsa severity = critical line = 98 matchedText = var k = ...--";
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js

lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.jsView on unpkg · L98
lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.jsView file
37patternName = private_key_rsa severity = critical line = 37 matchedText = /^-----B...y));
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js

lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.jsView on unpkg · L37
lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.jsView file
34patternName = aws_access_key severity = critical line = 34 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js

lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.jsView on unpkg · L34
lib/vendor/blamejs/test/layer-0-primitives/keychain.test.jsView file
223patternName = generic_password severity = medium line = 223 matchedText = service:...AR",
Medium
Secret Pattern

Hardcoded password in lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js

lib/vendor/blamejs/test/layer-0-primitives/keychain.test.jsView on unpkg · L223
lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.jsView file
64patternName = private_key_rsa severity = critical line = 64 matchedText = var keyP...\n";
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js

lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.jsView on unpkg · L64
lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.jsView file
93patternName = aws_access_key severity = critical line = 93 matchedText = var secr... });
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js

lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.jsView on unpkg · L93
96patternName = aws_access_key severity = critical line = 96 matchedText = check("a...-1);
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js

lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.jsView on unpkg · L96
99patternName = aws_access_key severity = critical line = 99 matchedText = var awsP... });
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js

lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.jsView on unpkg · L99
100patternName = aws_access_key severity = critical line = 100 matchedText = check("i...-1);
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js

lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.jsView on unpkg · L100
lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.jsView file
59patternName = private_key_rsa severity = critical line = 59 matchedText = var keyP...\n";
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js

lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.jsView on unpkg · L59
lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.jsView file
151patternName = private_key_rsa severity = critical line = 151 matchedText = accountK..." },
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.js

lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.jsView on unpkg · L151
lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.jsView file
60patternName = aws_access_key severity = critical line = 60 matchedText = awsAcces...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js

lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.jsView on unpkg · L60
67patternName = private_key_rsa severity = critical line = 67 matchedText = pem: ...--",
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js

lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.jsView on unpkg · L67
151patternName = private_key_rsa severity = critical line = 151 matchedText = text.ind...-1);
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js

lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.jsView on unpkg · L151
lib/vendor/blamejs/test/layer-0-primitives/notify.test.jsView file
384patternName = generic_password severity = medium line = 384 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in lib/vendor/blamejs/test/layer-0-primitives/notify.test.js

lib/vendor/blamejs/test/layer-0-primitives/notify.test.jsView on unpkg · L384
lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.jsView file
323patternName = aws_access_key severity = critical line = 323 matchedText = resource..." },
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js

lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.jsView on unpkg · L323
lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.jsView file
63patternName = private_key_rsa severity = critical line = 63 matchedText = var keyP...n" +
Critical
Secret Pattern

RSA private key in lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js

lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.jsView on unpkg · L63
lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.jsView file
27patternName = aws_access_key severity = critical line = 27 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js

lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.jsView on unpkg · L27
lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.jsView file
220patternName = generic_password severity = medium line = 220 matchedText = service:...rue,
Medium
Secret Pattern

Hardcoded password in lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.js

lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.jsView on unpkg · L220

Findings

32 Critical1 High10 Medium7 Low
CriticalCritical Secretlib/push-notifications.js
CriticalTrojan Source Unicodelib/vendor/blamejs/lib/middleware/body-parser.js
CriticalTrigger Reachable Dangerous Capabilitylib/vendor/blamejs/lib/guard-filename.js
CriticalSecret Patternlib/push-notifications.js
CriticalSecret Patternlib/vendor/blamejs/test/40-consumers.js
CriticalSecret Patternlib/vendor/blamejs/test/40-consumers.js
CriticalSecret Patternlib/vendor/blamejs/test/40-consumers.js
CriticalSecret Patternlib/vendor/blamejs/test/40-consumers.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/cert.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js
CriticalSecret Patternlib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js
HighPayload In Excluded Dirlib/vendor/blamejs/.clusterfuzzlite/build.sh
MediumDynamic Requirelib/subscriptions.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperlib/vendor/blamejs/docker/init/generate-certs.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/vendor/blamejs/test/40-consumers.js
MediumSecret Patternlib/vendor/blamejs/test/layer-0-primitives/keychain.test.js
MediumSecret Patternlib/vendor/blamejs/test/layer-0-primitives/notify.test.js
MediumSecret Patternlib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.js
LowScripts Present
LowWeak Cryptolib/vendor/blamejs/lib/ws-client.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings