registry  /  @blamejs/core  /  0.16.0

@blamejs/core@0.16.0

⚠ Under review

The Node framework that owns its stack.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 566 file(s), 14.5 MB of source, external domains: accounts.google.com, api.github.com, api.hcaptcha.com, api.pwnedpasswords.com, api.resend.com, app.example.com, appleid.apple.com, attacker.example, attacker.tld, bimigroup.org, blamejs.com, c2pa.org, challenges.cloudflare.com, cloudflare-dns.com, datatracker.ietf.org, dns.google, dns.quad9.net, docs.example.com, example.com, financialdataexchange.org, github.com, json-schema.org, login.microsoftonline.com, mds.fidoalliance.org, mds3.fidoalliance.org, nvd.nist.gov, oauth2.googleapis.com, placeholder.invalid, publicsuffix.org, s3.amazonaws.com, schemas.dmtf.org, schemas.microsoft.com, schemas.openid.net, schemas.xmlsoap.org, simplewebauthn.dev, storage.googleapis.com, www.apache.org, www.google.com, www.googleapis.com, www.rfc-editor.org, www.w3.org, x.com

Source & flagged code

9 flagged · loading source
lib/mail-crypto-pgp.jsView file
82patternName = private_key_rsa severity = critical line = 82 matchedText = * .....",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/mail-crypto-pgp.jsView on unpkg · L82
82patternName = private_key_rsa severity = critical line = 82 matchedText = * .....",
Critical
Secret Pattern

RSA private key in lib/mail-crypto-pgp.js

lib/mail-crypto-pgp.jsView on unpkg · L82
bin/blamejs.jsView file
4// be driven from tests without spawning a child process. L5: var cli = require("../lib/cli"); L6:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/blamejs.jsView on unpkg · L4
lib/ws-client.jsView file
2/** L3: * b.wsClient — outbound WebSocket client (RFC 6455). L4: * ... L18: * L19: * client.on("open", function () { client.send({ subscribe: ["orders"] }); }); L20: * client.on("message", function (data, isBinary) { ... }); ... L24: * client.send("text frame"); L25: * client.send(Buffer.from("binary frame")); L26: * client.close(1000, "bye"); ... L199: L200: // Operators with a non-RFC-6455 GUID (private protocols on top of L201: // the WebSocket framing layer, framework-specific handshake variants)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/ws-client.jsView on unpkg · L2
lib/middleware/body-parser.jsView file
599contains invisible/control Unicode U+202E (right-to-left override) // `Photo01By<U+202E>gpj.SCR` displays as `Photo01By.jpg` in audit
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

lib/middleware/body-parser.jsView on unpkg · L599
lib/guard-filename.jsView file
Trigger-reachable chain: manifest.main -> index.js -> lib/guard-filename.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

lib/guard-filename.jsView on unpkg
lib/redact.jsView file
126patternName = private_key_openssh severity = critical line = 126 matchedText = test: ...; },
Critical
Secret Pattern

OpenSSH private key in lib/redact.js

lib/redact.jsView on unpkg · L126
428patternName = private_key_openssh severity = critical line = 428 matchedText = detect: ...; },
Critical
Secret Pattern

OpenSSH private key in lib/redact.js

lib/redact.jsView on unpkg · L428
267patternName = generic_password severity = medium line = 267 matchedText = * // ...D]",
Medium
Secret Pattern

Hardcoded password in lib/redact.js

lib/redact.jsView on unpkg · L267

Findings

6 Critical6 Medium6 Low
CriticalCritical Secretlib/mail-crypto-pgp.js
CriticalTrojan Source Unicodelib/middleware/body-parser.js
CriticalTrigger Reachable Dangerous Capabilitylib/guard-filename.js
CriticalSecret Patternlib/mail-crypto-pgp.js
CriticalSecret Patternlib/redact.js
CriticalSecret Patternlib/redact.js
MediumDynamic Requirebin/blamejs.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/redact.js
LowScripts Present
LowWeak Cryptolib/ws-client.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings