registry  /  @camera.ui/server  /  2.0.9

@camera.ui/server@2.0.9

⚠ Under review

camera.ui server

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 559 file(s), 7.49 MB of source, external domains: 127.0.0.1, 185.97.122.128, 192.168.1.123, alice.yandex.ru, api.github.com, api.npmjs.org, auth.cameraui.com, aws.amazon.com, beispiel.de, billing.cameraui.com, bit.ly, cloud.cameraui.com, community.gopro.com, datatracker.ietf.org, developer.apple.com, developer.mozilla.org, devstreaming-cdn.apple.com, discord.gg, drmnsamoliu.github.io, en.wikipedia.org, example.com, expr.medv.io, ffmpeg.org, github.com, gopro.github.io, gstreamer.freedesktop.org, help.dvr163.com, home.mi.com, iot.quasar.yandex.ru, iot.tuya.com, json-schema.org, leafletjs.com, medium.com, mjpeg.sanford.io, my.example.com, myhome.novotelecom.ru, openipc.org, proxy.cameraui.com, raw.githubusercontent.com, react-dnd.github.io, reddit.com, registry.npmjs.org, rolldown.rs, share.cameraui.com, support.wyze.com, tv.ivideon.com, www.apache.org, www.aqara.com, www.doorbird.com, www.eseecloud.com

Source & flagged code

8 flagged · loading source
dist/server/src/remote/push.jsView file
16patternName = google_api_key severity = high line = 16 matchedText = apiKey: ...5o',
High
High Secret

Package contains a high-severity secret pattern.

dist/server/src/remote/push.jsView on unpkg · L16
16patternName = google_api_key severity = high line = 16 matchedText = apiKey: ...5o',
High
Secret Pattern

Google API key in dist/server/src/remote/push.js

dist/server/src/remote/push.jsView on unpkg · L16
dist/interface/assets/vendor-cameraui-DDdtrYBn.jsView file
4`),ii=new Uint8Array(ri)[0],ai=new Uint8Array(ri)[1]}));function si(e,t,n,r){let i=new Uint8Array(hi);return[0,0,0,0,0,0,0,0,0,0,255,255].forEach((e,t)=>{i[t]=e}),i[12]=e,i[13]=t,i... L5: `),i=r[0];if(i!==na){let e=i.replace(na,``).trim();if(e.length>0){n._code=parseInt(e,10),isNaN(n._code)&&(n._code=0);let t=n._code.toString();e=e.replace(t,``),n._description=e.tri... L6: `);let r=e[t].toString(16);r.length===1&&(r=`0`+r),n.push(r)}console.log(n.join(` `))}})),Ca=a((e=>{Object.defineProperty(e,"__esModule",{value:!0}),e.version=void 0,e.version=`2....
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/interface/assets/vendor-cameraui-DDdtrYBn.jsView on unpkg · L4
dist/server/src/camera/sensors/stable-id.jsView file
1import { createHash } from 'node:crypto'; L2: export function computeSensorStableId(pluginId, sensorType, sensorName) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/src/camera/sensors/stable-id.jsView on unpkg · L1
dist/interface/assets/vendor-primevue-DB14kOh6.jsView file
3433contains invisible/control Unicode U+FEFF (zero width no-break space) In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function rm(e,t){if(e){if(typeof e==`string`)return om(e,t);var n={}.toString.call(e).slice(8,-1);return n===`Object`&&e.constructor&&(n=e.constructor.name
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/interface/assets/vendor-primevue-DB14kOh6.jsView on unpkg · L3433
dist/server/src/plugins/runtime/python/store.pyView file
path = [redacted].py kind = build_helper sizeBytes = 17689 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/server/src/plugins/runtime/python/store.pyView on unpkg
dist/interface/fonts/InterVariable.woff2View file
path = [redacted].woff2 kind = high_entropy_blob sizeBytes = 352240 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/interface/fonts/InterVariable.woff2View on unpkg
dist/interface/assets/Cameras-DNsE3_T0.jsView file
539patternName = generic_password severity = medium line = 539 matchedText = password...efix
Medium
Secret Pattern

Hardcoded password in dist/interface/assets/Cameras-DNsE3_T0.js

dist/interface/assets/Cameras-DNsE3_T0.jsView on unpkg · L539

Findings

1 Critical3 High7 Medium7 Low
CriticalTrojan Source Unicodedist/interface/assets/vendor-primevue-DB14kOh6.js
HighHigh Secretdist/server/src/remote/push.js
HighShips High Entropy Blobdist/interface/fonts/InterVariable.woff2
HighSecret Patterndist/server/src/remote/push.js
MediumDynamic Requiredist/interface/assets/vendor-cameraui-DDdtrYBn.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperdist/server/src/plugins/runtime/python/store.py
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/interface/assets/Cameras-DNsE3_T0.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/server/src/camera/sensors/stable-id.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings