463patternName = private_key_rsa
severity = critical
line = 463
matchedText = `||Y==="...thm.
CriticalCritical Secret
Package contains a critical-looking secret pattern.
dist/src/sdk.jsView on unpkg · L463 4`){if(Y)J+=Mv("");let z=Q?Kv(Q):void 0;if(Q&&z)J+=Nv(z)}else if(H===`
L5: `){if(Q&&Kv(Q))J+=Nv(Q);if(Y)J+=Mv(Y)}}return J},Jz0;var iK=s(()=>{dK();nK=`${$z0}8;;`,Vv=new RegExp(`(?:\\${Lv}(?<code>\\d+)m|\\${nK}(?<uri>.*)${lK})`,"y"),Jz0=/\r?\n/});var Y1=A(...
L6: `),Y=0,Z=$;for(let U of Q){if(Z<=U.length)break;Z-=U.length+1,Y++}for(Y=Math.max(0,Math.min(Q.length-1,Y+X)),Z=Math.min(Z,Q[Y].length)+D;Z<0&&Y>0;)Y--,Z+=Q[Y].length+1;for(;Z>Q[Y]....
L7: `),J=D.split(`
L8: `),Q=Math.max(X.length,J.length),Y=[];for(let Z=0;Z<Q;Z++)X[Z]!==J[Z]&&Y.push(Z);return{lines:Y,numLinesBefore:X.length,numLinesAfter:J.length,numLines:Q}}function Z$($){return $==...
L9: `).map((F,U,G)=>{let q=Y?Y(F,U):F;return U===0?`${J}${q}`:U===G.length-1?`${Q}${q}`:`${X}${q}`}).join(`
...
L14: `).slice(Y);this.output.write(Z.join(`
L15: `)),this._prevFrame=$;return}}this.output.write(ND.erase.down())}this.output.write($),this.state==="initial"&&(this.state="active"),this._prevFrame=$}}}function Wz0($,D){if($===voi...
L16: `?`${D}█
...
L19: `&&(this._setUserInput(this.userInput.slice(0,this.cursor-1)+this.userInput.slice(this.cursor)),this._cursor--),!0):(this.#$(`
L20: `),this._cursor++,!1)}constructor($){super(
CriticalRemote Asset Decode Execute
Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/src/sdk.jsView on unpkg · L4 131Trigger-reachable chain: manifest.exports -> dist/src/sdk.js
L131: `)}function FT0($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function UT0(){return process.env.DEBUG}function GT0($){$.inspectOpts={};let D=Object.keys(im.inspectOpts)...
L132: `).map((D)=>D.trim()).join(" ")};nm.O=function($){return this.inspectOpts.colors=this.useColors,Cq.inspect($,this.inspectOpts)}});var Pq=A((Mz$,jw)=>{if(typeof process>"u"||process...
L133:
L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:J,destStat:Q}=await kZ.checkPaths($,D,"copy",X);if(await kZ.checkParentPath...
L135:
L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:J,destStat:Q}=fZ.checkPathsSync($,D,"copy",X);if(fZ.checkParentPathsSync($,...
L137: `,finalEOL:X=!0,replacer:J=null,spaces:Q}={}){let Y=X?D:"",Z=JSON.stringify($,J,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r...
L138: `)];for(let[G,q]of U.entries()){if(J+=q,bq.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.co…
CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/sdk.jsView on unpkg · L131 463patternName = private_key_rsa
severity = critical
line = 463
matchedText = `||Y==="...thm.
472patternName = private_key_rsa
severity = critical
line = 472
matchedText = `+" - T...in(`
650patternName = private_key_rsa
severity = critical
line = 650
matchedText = All pack... Y=`
273L274: see https://github.com/jprichardson/node-fs-extra/issues/269`);WF.checkPaths($,D,"copy",(Q,Y)=>{if(Q)return J(Q);let{srcStat:Z,destStat:F}=Y;WF.checkParentPaths($,Z,D,"copy",(U)=>{...
L275: `)}YD0.check=Bc0;async function Ec0($){var D;if((D=$.app.extConfig.server)===null||D===void 0?void 0:D.url)return null;if(["",".","..","../","./"].includes($.app.webDir))return`"${...
311export default config;
L312: `}});var OH,f9,JE,RD0,AD0,ID0,jD0,CD0;var QE=s(()=>{OH=M$(ED0(),1),f9=M$(_W(),1),JE=OH.loadConfig,RD0=OH.writeConfig,AD0=f9.findMonorepoRoot,ID0=f9.findNXMonorepoRoot,jD0=f9.isMono...
L313: `)}var uD0=($,D)=>{$.name="$ZodError",Object.defineProperty($,"_zod",{value:$._zod,enumerable:!1}),Object.defineProperty($,"issues",{value:D,enumerable:!1}),$.message=JSON.stringif...
133L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:J,destStat:Q}=await kZ.checkPaths($,D,"copy",X);if(await kZ.checkParentPath...
L135:
L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:J,destStat:Q}=fZ.checkPathsSync($,D,"copy",X);if(fZ.checkParentPathsSync($,...
L137: `,finalEOL:X=!0,replacer:J=null,spaces:Q}={}){let Y=X?D:"",Z=JSON.stringify($,J,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r...
L138: `)];for(let[G,q]of U.entries()){if(J+=q,bq.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.code!==void 0)...
...
L146: `);return W=Math.max(W,O.length),O});for(let z in q)if(Z[z])Z[z].push(...H[z],...Array(W-H[z].length).fill(""))}let F=Z.map((q,W)=>{if(W<Y-1){let H=ul(q);return q.map((z,O)=>`${z}$...
L147: `)}fl.columnar=Yx0});var cl=A((gl)=>{Object.defineProperty(gl,"__esModule",{value:!0});gl.TERMINAL_INFO=gl.CI_ENVIRONMENT_VARIABLES_DETECTED=gl.CI_ENVIRONMENT_VARIABLES=void 0;var ...
L148: `}pl.enforceLF=Ix0;function jx0($,D=
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/sdk.jsView on unpkg · L133 131`)}function FT0($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function UT0(){return process.env.DEBUG}function GT0($){$.inspectOpts={};let D=Object.keys(im.inspectOpts)...
L132: `).map((D)=>D.trim()).join(" ")};nm.O=function($){return this.inspectOpts.colors=this.useColors,Cq.inspect($,this.inspectOpts)}});var Pq=A((Mz$,jw)=>{if(typeof process>"u"||process...
L133:
L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:J,destStat:Q}=await kZ.checkPaths($,D,"copy",X);if(await kZ.checkParentPath...
L135:
L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:J,destStat:Q}=fZ.checkPathsSync($,D,"copy",X);if(fZ.checkParentPathsSync($,...
L137: `,finalEOL:X=!0,replacer:J=null,spaces:Q}={}){let Y=X?D:"",Z=JSON.stringify($,J,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r...
L138: `)];for(let[G,q]of U.entries()){if(J+=q,bq.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.code!==void 0)...
...
L146: `);return W=Math.max(W,O.length),O})
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/sdk.jsView on unpkg · L131 125`)}),D}});var fg=A((SH$,ug)=>{var O9=a("constants"),Kj0=process.cwd,Gq=null,Nj0=process.env.GRACEFUL_FS_PLATFORM||process.platform;process.cwd=function(){if(!Gq)Gq=Kj0.call(process...
L126: GFS4: `),console.error($)};if(!L1[QD]){if(Jw=global[QD]||[],cg(L1,Jw),L1.close=function($){function D(X,J){return $.call(L1,X,function(Q){if(!Q)dg();if(typeof J==="function")J.appl...
L127: `)}}});var X5=s(()=>{_m()});async function Aq($){try{let X=`https://registry.npmjs.org/${encodeURIComponent($.toLowerCase())}`,J=await fetch(X,{headers:{accept:"application/vnd.npm...
HighObfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/src/sdk.jsView on unpkg · L125 108${L}`}});var Wf=A((Gf)=>{Object.defineProperty(Gf,"__esModule",{value:!0});Gf.WebAuthnUnknownError=Gf.WebAuthnError=void 0;Gf.isWebAuthnError=iM0;Gf.identifyRegistrationError=pM0;G...
L109: `);let w=await K.signMessage(new TextEncoder().encode(z),"utf8");if(!w||!(w instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v...
L110: `)!=-1,J=this._styles,Q=J.length;while(Q--){var Y=xX[J[Q]];if(D=Y.open+D.replace(Y.closeRe,Y.open)+Y.close,X)D=D.replace(iL0,function(Z){return Y.close+Z+Y.open})}return D}H$.setTh...
MediumDynamic Require
Package source references dynamic require/import behavior.
dist/src/sdk.jsView on unpkg · L108 4`){if(Y)J+=Mv("");let z=Q?Kv(Q):void 0;if(Q&&z)J+=Nv(z)}else if(H===`
L5: `){if(Q&&Kv(Q))J+=Nv(Q);if(Y)J+=Mv(Y)}}return J},Jz0;var iK=s(()=>{dK();nK=`${$z0}8;;`,Vv=new RegExp(`(?:\\${Lv}(?<code>\\d+)m|\\${nK}(?<uri>.*)${lK})`,"y"),Jz0=/\r?\n/});var Y1=A(...
L6: `),Y=0,Z=$;for(let U of Q){if(Z<=U.length)break;Z-=U.length+1,Y++}for(Y=Math.max(0,Math.min(Q.length-1,Y+X)),Z=Math.min(Z,Q[Y].length)+D;Z<0&&Y>0;)Y--,Z+=Q[Y].length+1;for(;Z>Q[Y]....
L7: `),J=D.split(`
L8: `),Q=Math.max(X.length,J.length),Y=[];for(let Z=0;Z<Q;Z++)X[Z]!==J[Z]&&Y.push(Z);return{lines:Y,numLinesBefore:X.length,numLinesAfter:J.length,numLines:Q}}function Z$($){return $==...
L9: `).map((F,U,G)=>{let q=Y?Y(F,U):F;return U===0?`${J}${q}`:U===G.length-1?`${Q}${q}`:`${X}${q}`}).join(`
...
L14: `).slice(Y);this.output.write(Z.join(`
L15: `)),this._prevFrame=$;return}}this.output.write(ND.erase.down())}this.output.write($),this.state==="initial"&&(this.state="active"),this._prevFrame=$}}}function Wz0($,D){if($===voi...
L16: `?`${D}█
...
L19: `&&(this._setUserInput(this.userInput.slice(0,this.cursor-1)+this.userInput.slice(this.cursor)),this._cursor--),!0):(this.#$(`
L20: `),this._cursor++,!1)}constructor($){super(
LowWeak Crypto
Package source references weak cryptographic algorithms.
dist/src/sdk.jsView on unpkg · L4