Static Scan Results
scanned 12d ago · by rust-scannerStatic analysis flagged 7 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
Crypto
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.esm.jsView file
1import { a as NotSolanaProviderError, c as isSolanaWalletAccount, d as [redacted], f as name, i as isSolanaGasSponsorshipEnabled, l as isVersionedTransact...
L2: import { t as assertBufferAvailable } from "./assertBufferAvailable-b4xOlERy.esm.js";
...
L191: outAssets: response.outAssets || [],
L192: priceData: response.priceData,
L193: showTotalFiat: response.showTotalFiat,
...
L268: //#region [redacted].constants.ts
L269: const PHANTOM_DEEPLINK_BASE_URL = "https://phantom.app/ul/v1";
L270: const PHANTOM_SESSION_STORAGE_KEY = "phantom_session";
...
L382: if (!decrypted) throw new PhantomRedirectDecryptionError();
L383: const decryptedString = getBuffer().from(decrypted).toString("utf-8");
L384: try {
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
dist/index.esm.jsView on unpkg · L1dist/index.cjsView file
57Trigger-reachable chain: manifest.main -> dist/index.cjs
L57: * This function fetches the transaction fee by compiling the transaction message
L58: * and querying the network. It handles both legacy Transaction and VersionedTransaction
L59: * formats and includes retry logic for network requests.
...
L195: outAssets: response.outAssets || [],
L196: priceData: response.priceData,
L197: showTotalFiat: response.showTotalFiat,
...
L272: //#region [redacted].constants.ts
L273: const PHANTOM_DEEPLINK_BASE_URL = "https://phantom.app/ul/v1";
L274: const PHANTOM_SESSION_STORAGE_KEY = "phantom_session";
...
L386: if (!decrypted) throw new PhantomRedirectDecryptionError();
L387: const decryptedString = (0, _dynamic_labs_sdk_client_core.getBuffer)().from(decrypted).toString("utf-8");
L388: try {
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.cjsView on unpkg · L57Findings
2 Critical1 Medium4 Low
CriticalWallet Draindist/index.esm.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License