registry  /  @gmacko/emulate  /  0.5.3

@gmacko/emulate@0.5.3

Local drop-in replacement services for CI and no-network sandboxes

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 2.01 MB of source, external domains: calendar.google.com, docs.github.com, drive.google.com, emulate.dev, github.com, img.clerk.com, lh3.googleusercontent.com, meet.google.com

Source & flagged code

12 flagged · loading source
dist/dist-LDUHEJAN.jsView file
1560patternName = aws_access_key severity = critical line = 1560 matchedText = access_k...LE",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dist-LDUHEJAN.jsView on unpkg · L1560
1560patternName = aws_access_key severity = critical line = 1560 matchedText = access_k...LE",
Critical
Secret Pattern

AWS access key ID in dist/dist-LDUHEJAN.js

dist/dist-LDUHEJAN.jsView on unpkg · L1560
33function generateReceiptHandle() { L34: return randomBytes(48).toString("base64url"); L35: } ... L62: function parseQueryString(body) { L63: const params = new URLSearchParams(body); L64: const result = {}; ... L107: creation_date: (/* @__PURE__ */ new Date()).toISOString(), L108: acl: "private", L109: versioning_enabled: false ... L1096: var errorHandler = createErrorHandler(); L1097: var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1"); L1098: var __dirname = dirname(fileURLToPath(import.meta.url));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dist-LDUHEJAN.jsView on unpkg · L33
dist/chunk-VBCANQAD.jsView file
23var n = (t, e, o2) => e.has(t) || a("Cannot " + o2); L24: var h = (t, e, o2) => (n(t, e, "read from private field"), o2 ? o2.call(t) : e.get(t)); L25: var R = (t, e, o2) => e.has(t) ? a("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(t) : e.set(t, o2); ... L47: async function c2(t) { L48: s2 || r.has(t.toString()) || r.set(t.toString(), fetch(t)); L49: } ... L65: async function p2(t) { L66: return s2 ? (await (await import("fs/promises")).readFile(t)).buffer : (c2(t), (await r.get(t.toString())).clone().arrayBuffer()); L67: } ... L335: e = Q.map(e, function(n2) { L336: return Q.extend({}, n2, { data: Q.toUint8Array(n2.data) }); L337: });
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/chunk-VBCANQAD.jsView on unpkg · L23
893var func = `(${args}) => { ${body} };`; L894: ASM_CONSTS[start] = eval(func); L895: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-VBCANQAD.jsView on unpkg · L893
dist/pglite.wasmView file
path = dist/pglite.wasm kind = wasm_module sizeBytes = 8739902 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/pglite.wasmView on unpkg
dist/fonts/geist-sans.woff2View file
path = dist/fonts/geist-sans.woff2 kind = high_entropy_blob sizeBytes = 28400 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/fonts/geist-sans.woff2View on unpkg
dist/index.jsView file
408patternName = generic_password severity = medium line = 408 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L408
dist/chunk-D6EKRYGP.jsView file
1464patternName = private_key_rsa severity = critical line = 1464 matchedText = if (type...0) {
Critical
Secret Pattern

RSA private key in dist/chunk-D6EKRYGP.js

dist/chunk-D6EKRYGP.jsView on unpkg · L1464
dist/api.jsView file
387patternName = generic_password severity = medium line = 387 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in dist/api.js

dist/api.jsView on unpkg · L387
README.mdView file
345patternName = private_key_rsa severity = critical line = 345 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in README.md

README.mdView on unpkg · L345
842patternName = aws_access_key severity = critical line = 842 matchedText = **AWS**:...EY`.
Critical
Secret Pattern

AWS access key ID in README.md

README.mdView on unpkg · L842

Findings

5 Critical2 High6 Medium6 Low
CriticalCritical Secretdist/dist-LDUHEJAN.js
CriticalSecret Patterndist/dist-LDUHEJAN.js
CriticalSecret Patterndist/chunk-D6EKRYGP.js
CriticalSecret PatternREADME.md
CriticalSecret PatternREADME.md
HighObfuscated Payload Loaderdist/chunk-VBCANQAD.js
HighShips High Entropy Blobdist/fonts/geist-sans.woff2
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/pglite.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
MediumSecret Patterndist/api.js
LowScripts Present
LowEvaldist/chunk-VBCANQAD.js
LowWeak Cryptodist/dist-LDUHEJAN.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings