registry  /  @cytario/web  /  4.10.0

@cytario/web@4.10.0

⚠ Under review

Cytario Web — scientific imaging data browser and viewer for OME-TIFF, OME-Zarr, Parquet and GeoTIFF on S3-compatible storage.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
CopyleftLicense
scanned 329 file(s), 8.83 MB of source, external domains: bit.ly, cyberduck.io, extensions.duckdb.org, github.com, json-schema.org, react.dev, reactrouter.com, s3.amazonaws.com, unpkg.com, www.apple.com, www.reedbeta.com, www.w3.org

Source & flagged code

9 flagged · loading source
build/client/assets/zstd-BbiHKNjt.jsView file
15patternName = aws_access_key severity = critical line = 15 matchedText = `];if(fA...lt};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

build/client/assets/zstd-BbiHKNjt.jsView on unpkg · L15
15patternName = aws_access_key severity = critical line = 15 matchedText = `];if(fA...lt};
Critical
Secret Pattern

AWS access key ID in build/client/assets/zstd-BbiHKNjt.js

build/client/assets/zstd-BbiHKNjt.jsView on unpkg · L15
bin/cytario-web.mjsView file
9L10: import { spawn } from "node:child_process"; L11: import { dirname, resolve } from "node:path";
High
Child Process

Package source references child process execution.

bin/cytario-web.mjsView on unpkg · L9
build/client/assets/duckdb-browser-eh.worker-hQa-dcAV.jsView file
1"use strict";var duckdb=(()=>{var qc=Object.create;var Pn=Object.defineProperty;var Xc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeO... L2: /*! Bundled license information:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

build/client/assets/duckdb-browser-eh.worker-hQa-dcAV.jsView on unpkg · L1
1"use strict";var duckdb=(()=>{var qc=Object.create;var Pn=Object.defineProperty;var Xc=Object.getOwnPropertyDescriptor;var Qc=Object.getOwnPropertyNames;var Yc=Object.getPrototypeO... L2: /*! Bundled license information:
Low
Eval

Package source references a known benign dynamic code generation pattern.

build/client/assets/duckdb-browser-eh.worker-hQa-dcAV.jsView on unpkg · L1
server.jsView file
9var BUILD_PATH = path.resolve("build/server/index.js"); L10: var buildModule = await import(url.pathToFileURL(BUILD_PATH).href); L11: var app = express();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

server.jsView on unpkg · L9
build/client/assets/duckdb-browser-mvp.worker-C9hF7LGh.jsView file
1"use strict";var duckdb=(()=>{var ql=Object.create;var Fi=Object.defineProperty;var Xl=Object.getOwnPropertyDescriptor;var Ql=Object.getOwnPropertyNames;var Yl=Object.getPrototypeO... L2: /*! Bundled license information:
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

build/client/assets/duckdb-browser-mvp.worker-C9hF7LGh.jsView on unpkg · L1
public/duckdb-extensions/v1.4.3/wasm_threads/spatial.duckdb_extension.wasmView file
path = public/duckdb-extensions/v1.4.3/wasm_threads/spatial.duckdb_extension.wasm kind = wasm_module sizeBytes = 23330976 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

public/duckdb-extensions/v1.4.3/wasm_threads/spatial.duckdb_extension.wasmView on unpkg
build/server/assets/server-build-B07iqDvh.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @cytario/web@4.7.0 matchedIdentity = npm:QGN5dGFyaW8vd2Vi:4.7.0 similarity = 0.708 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/server/assets/server-build-B07iqDvh.jsView on unpkg

Findings

3 Critical4 High6 Medium8 Low
CriticalCritical Secretbuild/client/assets/zstd-BbiHKNjt.js
CriticalPrevious Version Dangerous Deltabuild/server/assets/server-build-B07iqDvh.js
CriticalSecret Patternbuild/client/assets/zstd-BbiHKNjt.js
HighChild Processbin/cytario-web.mjs
HighShell
HighCommand Output Exfiltrationbuild/client/assets/duckdb-browser-eh.worker-hQa-dcAV.js
HighObfuscated Payload Loaderbuild/client/assets/duckdb-browser-mvp.worker-C9hF7LGh.js
MediumDynamic Requireserver.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Modulepublic/duckdb-extensions/v1.4.3/wasm_threads/spatial.duckdb_extension.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalbuild/client/assets/duckdb-browser-eh.worker-hQa-dcAV.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License