registry  /  @dcl/sites  /  0.47.0

@dcl/sites@0.47.0

⚠ Under review

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 383 file(s), 7.55 MB of source, external domains: 11155111.rpc.thirdweb.com, 4byte.sourcify.dev, abitype.dev, amoy.polygonscan.com, aomediacodec.github.io, api-sepolia.etherscan.io, api.biconomy.io, api.etherscan.io, api.github.com, api.segment.io, api.vimeo.com, api.wallet.coinbase.com, api.web3modal.org, app.safe.global, apps.apple.com, arweave.net, assets-cdn.decentraland.org, assets-cdn.decentraland.zone, auth-api.decentraland.org, auth-api.decentraland.today, auth-api.decentraland.zone, badges.decentraland.org, badges.decentraland.zone, bit.ly, bugs.webkit.org, builder-api.decentraland.org, buy-staging.moonpay.io, buy.moonpay.io, calendar.google.com, camera-reel-service.decentraland.org, camera-reel-service.decentraland.zone, cast-presenter-service.decentraland.org, cast-presenter-service.decentraland.zone, cdn-data.decentraland.org, cdn.decentraland.org, cdn.jsdelivr.net, cdn.segment, cdn.segment.com, cms-api.decentraland.org, cms-images.decentraland.org, cms.decentraland.org, comms-gatekeeper.decentraland.org, comms-gatekeeper.decentraland.zone, contract.thirdweb.com, credits.decentraland.org, credits.decentraland.today, credits.decentraland.zone, dao.decentraland.org, dcl.gg, decentraland.org

Source & flagged code

4 flagged · loading source
assets/vendor-auth-Co--LRQo.jsView file
1import{a as e,r as t,s as n,t as r}from"./rolldown-runtime-zSbnoVup.js";var i=`modulepreload`,a=function(e){return`https://cdn.decentraland.org/@dcl/sites/0.47.0/`+e},o={},s=functi... L2: - Extension \`${e.name}\` supports version(s) \`${n}\``:n||(t+=` ... L4: Expected: \`${e.expected}\` L5: Received: \`${e.received}\``)}function It(){return new Dt(f.DuplicateIframe,`Duplicate iframes found.`)}function Lt(){return new Dt(f.SyncWeb3Method,`Non-async web3 methods are dep... L6: `);super(o,n.cause?{cause:n.cause}:void 0),Object.defineProperty(this,`details`,{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,`docs`,{enumera...
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

assets/vendor-auth-Co--LRQo.jsView on unpkg · L1
assets/DownloadSuccess-10_yJ28g.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/sentry-Cy1ini9E.js","assets/index-CjO_mzsz.js","assets/rolldown-runtime-zSbnoVup.js","assets/emotion-styled-base.br... L2: import{s as e}from"./rolldown-runtime-zSbnoVup.js";import{g as t}from"./vendor-livekit-Br5iAbZ1.js";import{Dt as n}from"./vendor-web3-DZEXvs34.js";import{t as r}from"./Typography-D...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

assets/DownloadSuccess-10_yJ28g.jsView on unpkg · L1
assets/brotli_wasm_bg-NfWIZley.wasmView file
path = assets/brotli_wasm_bg-NfWIZley.wasm kind = wasm_module sizeBytes = 1056860 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

assets/brotli_wasm_bg-NfWIZley.wasmView on unpkg
catch_the_vibe/roustan.mp4View file
path = catch_the_vibe/roustan.mp4 kind = high_entropy_blob sizeBytes = 4190015 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

catch_the_vibe/roustan.mp4View on unpkg

Findings

1 Critical2 High4 Medium5 Low
CriticalWallet Drainassets/vendor-auth-Co--LRQo.js
HighSandbox Evasion Gated Capabilityassets/DownloadSuccess-10_yJ28g.js
HighShips High Entropy Blobcatch_the_vibe/roustan.mp4
MediumNetwork
MediumProtestware
MediumShips Wasm Moduleassets/brotli_wasm_bg-NfWIZley.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings