registry  /  @coffer-org/web  /  1.3.0

@coffer-org/web@1.3.0

⚠ Under review

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 155 file(s), 5.58 MB of source, external domains: base-ui.com, fb.me, github.com, html.spec.whatwg.org, json-schema.org, leafletjs.com, nominatim.openstreetmap.org, prosemirror.net, purecatamphetamine.github.io, radix-ui.com, react.dev, tile.openstreetmap.org, www.ibm.com, www.openstreetmap.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/assets/dist-CbTzBiwL.jsView file
1var e=1024,t=0,n=class{constructor(e,t){this.from=e,this.to=t}},r=class{constructor(e={}){this.id=t++,this.perNode=!!e.perNode,this.deserialize=e.deserialize||(()=>{throw Error(`Th... L2: `){[e,t]=Ke(this,e,t);let r=``;for(let i=0,a=0;i<=t&&a<this.text.length;a++){let o=this.text[a],s=i+o.length;i>e&&a&&(r+=n),e<s&&t>i&&(r+=o.slice(Math.max(0,e-i),t-i)),i=s+1}return...
High
Child Process

Package source references child process execution.

dist/assets/dist-CbTzBiwL.jsView on unpkg · L1
dist/assets/index-a1UeYh9b.jsView file
76contains invisible/control Unicode U+200B (zero width space) In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function jl(e,t){if(e){if(typeof e==`string`)return Ml(e,t);var n={}.toString.call(e).slice(8,-1);return n===`Object`&&e.constructor&&(n=e.constructor.name
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/assets/index-a1UeYh9b.jsView on unpkg · L76
88In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function jm(e,t){if(e){if(typeof e==`string`)return Mm(e,t);var n=Object.prototype.toString.cal... L89: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function ah(e,t){if(e){if(typeof e==`string`)return oh(e,t);var n=Object.prototype.toString.cal... L90: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function _h(e,t){if(e){if(typeof e==`string`)return vh(e,t);var n=Object.prototype.toString.cal... L91: Decimal separator can't be same as thousand separator. ... L101: L102: For more information, see https://radix-ui.com/primitives/docs/components/${t.docsSlug}`;return K.useEffect(()=>{e&&(document.getElementById(e)||console.error(n))},[n,e]),null},I$=... L103: ?| L104: |(?![\\s\\S])))+`,`m`),alias:i,inside:{line:{pattern:/(.)(?=[\s\S]).*(?:\r\n?|\n)?/,lookbehind:!0},prefix:{pattern:/[\s\S]/,alias:/\w+/.exec(n)[0]}}}}),Object.defineProperty(e.lang...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/assets/index-a1UeYh9b.jsView on unpkg · L88
89In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function ah(e,t){if(e){if(typeof e==`string`)return oh(e,t);var n=Object.prototype.toString.cal... L90: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function _h(e,t){if(e){if(typeof e==`string`)return vh(e,t);var n=Object.prototype.toString.cal... L91: Decimal separator can't be same as thousand separator.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/index-a1UeYh9b.jsView on unpkg · L89
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/assets/MarkdownEditor-CX6oZ_kg.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @coffer-org/web@1.2.4 matchedIdentity = npm:QGNvZmZlci1vcmcvd2Vi:1.2.4 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/assets/MarkdownEditor-CX6oZ_kg.jsView on unpkg

Findings

2 Critical3 High4 Medium5 Low
CriticalTrojan Source Unicodedist/assets/index-a1UeYh9b.js
CriticalPrevious Version Dangerous Deltadist/assets/MarkdownEditor-CX6oZ_kg.js
HighChild Processdist/assets/dist-CbTzBiwL.js
HighCommand Output Exfiltrationdist/assets/index-a1UeYh9b.js
HighShips High Entropy Blobdist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requiredist/assets/index-a1UeYh9b.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License