registry  /  @finsemble/finsemble-core  /  10.3.0

@finsemble/finsemble-core@10.3.0

Finsemble is an application framework for building Electron based smart desktop applications.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 532 file(s), 43.5 MB of source, external domains: animista.net, assets.finsemble.com, atelierbram.github.io, bit.ly, chriskempson.com, clrs.cc, cosaic.kanbanize.com, cscorley.github.io, developer.mozilla.org, docs.google.com, docs.interop.io, documentation.finsemble.com, ethanschoonover.com, example.com, fb.me, fdc3.finos.org, github.com, google.com, hart-dev.com, json-schema.org, mysite.com, npms.io, railscasts.com, raw.githubusercontent.com, reactjs.org, redux.js.org, sethawright.com, stuk.github.io, tybenz.com, www.electronjs.org, www.google.com, www.monokai.nl, www.w3.org, xxx.com
Oversized source lightweight scan
dist/platform/services/window/windowServiceUI.js2.09 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsMinifiedUrlStringsatelierbram.github.iochriskempson.comclrs.cccscorley.github.ioethanschoonover.comgithub.comhart-dev.comrailscasts.comsethawright.comtybenz.comwww.monokai.nl

Source & flagged code

9 flagged · loading source
dist/cli/cli-api/iocd.cjsView file
273patternName = generic_password severity = medium line = 273 matchedText = password...5!",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli/cli-api/iocd.cjsView on unpkg · L273
dist/platform/services/notification/notificationService.jsView file
1/*! For license information please see notificationService.js.LICENSE.txt */ L2: (()=>{var e={7007(e){"use strict";var t,n="object"==typeof Reflect?Reflect:null,r=n&&"function"==typeof n.apply?n.apply:function(e,t,n){return Function.prototype.apply.call(e,t,n)}... L3: //# sourceMappingURL=notificationService.js.map
High
Child Process

Package source references child process execution.

dist/platform/services/notification/notificationService.jsView on unpkg · L1
1/*! For license information please see notificationService.js.LICENSE.txt */ L2: (()=>{var e={7007(e){"use strict";var t,n="object"==typeof Reflect?Reflect:null,r=n&&"function"==typeof n.apply?n.apply:function(e,t,n){return Function.prototype.apply.call(e,t,n)}... L3: //# sourceMappingURL=notificationService.js.map
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/platform/services/notification/notificationService.jsView on unpkg · L1
dist/platform/preloads/BloombergBridgePreload.jsView file
1/*! For license information please see BloombergBridgePreload.js.LICENSE.txt */ L2: (()=>{var e={5580(e,t,r){var n=r(6110)(r(9325),"DataView");e.exports=n},1549(e,t,r){var n=r(2032),i=r(3862),o=r(6721),s=r(2749),a=r(5749);function u(e){var t=-1,r=null==e?0:e.lengt... L3: //# sourceMappingURL=BloombergBridgePreload.js.map
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/platform/preloads/BloombergBridgePreload.jsView on unpkg · L1
cli-api.jsView file
6* Usage: L7: * const { ruleCSS, launchFEA} = require("@finsemble/finsemble-core/cli-api"); L8: *
Medium
Dynamic Require

Package source references dynamic require/import behavior.

cli-api.jsView on unpkg · L6
dist/platform/FSBL.jsView file
1/*! For license information please see FSBL.js.LICENSE.txt */ L2: !function(e,t){"object"==typeof exports&&"object"==typeof module?module.exports=t():"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.FSBLDesktopA... L3: //# sourceMappingURL=FSBL.js.map
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/platform/FSBL.jsView on unpkg · L1
dist/platform/assets/css/fonts/font-finance.woffView file
path = [redacted]-finance.woff kind = high_entropy_blob sizeBytes = 13747 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/platform/assets/css/fonts/font-finance.woffView on unpkg
dist/platform/services/window/windowServiceUI.jsView file
path = [redacted].js kind = oversized_source_file sizeBytes = 2191442 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/platform/services/window/windowServiceUI.jsView on unpkg
dist/polyfill/appender/index.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = !functio...());
Medium
Secret Pattern

Hardcoded password in dist/polyfill/appender/index.js

dist/polyfill/appender/index.jsView on unpkg · L2

Findings

7 High7 Medium6 Low
HighChild Processdist/platform/services/notification/notificationService.js
HighShell
HighSame File Env Network Executiondist/platform/FSBL.js
HighCommand Output Exfiltrationdist/platform/services/notification/notificationService.js
HighObfuscated
HighShips High Entropy Blobdist/platform/assets/css/fonts/font-finance.woff
HighOversized Source Filedist/platform/services/window/windowServiceUI.js
MediumSecret Patterndist/cli/cli-api/iocd.cjs
MediumDynamic Requirecli-api.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/polyfill/appender/index.js
LowScripts Present
LowEvaldist/platform/preloads/BloombergBridgePreload.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License