registry  /  @golstats/gsc-filters  /  1.1.6

@golstats/gsc-filters@1.1.6

Componente filtros

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a browser Vue filter component that makes runtime requests for Golstats data and may use a host application's stored Golstats token for authorization.

Static reason
One or more suspicious static signals were detected.
Trigger
Rendering filter components or calling exported runtime data helpers.
Impact
Uses configured or locally stored authorization credentials only for Golstats-aligned API requests; no install-time execution or host mutation was found.
Mechanism
Browser-side fetch/Axios requests for sports filter data.
Rationale
The scanner's secret and network signals correspond to a Vue sports-filter UI's runtime API authorization and data loading. Static inspection found no concrete malicious chain, install hook, exfiltration to unrelated infrastructure, or system/agent-control mutation.
Evidence
package.jsondist/gsc-filters.jsdist/gsc-filters.umd.cjsdist/index-b3841b9d.jsREADME.md
Network endpoints9
apis.golstats.comdev-apis.golstats.comdtcf4s9tapfr0.cloudfront.net2gfppi9wb6.execute-api.us-east-2.amazonaws.com/prod/videos/categoriesa3tmmmjdaj.execute-api.us-east-2.amazonaws.comkefloixzy1.execute-api.us-west-2.amazonaws.com/prod/tournamentsqyyibs1w0d.execute-api.us-west-2.amazonaws.com/prod/calendar/gamesBySeason?ts7thxzaik.execute-api.us-west-2.amazonaws.com/prod/players/seasons/yjeig444bb.execute-api.us-west-2.amazonaws.com

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index-b3841b9d.js` reads `localStorage` token keys and sends them as Authorization headers.
  • `dist/index-b3841b9d.js` contains a hard-coded default JWT-like bearer token.
  • Runtime components fetch Golstats sports/filter data from configured endpoints.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Entrypoints only export Vue filter components and data helpers.
  • No Node filesystem, child-process, eval, dynamic-code, or persistence primitives were found.
  • Network requests are component/runtime data fetches to Golstats-aligned APIs and static assets.
  • No source writes files, modifies agent settings, harvests environment variables, or loads remote code.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 6 file(s), 1.54 MB of source, external domains: 2gfppi9wb6.execute-api.us-east-2.amazonaws.com, a3tmmmjdaj.execute-api.us-east-2.amazonaws.com, apis.golstats.com, dev-apis.golstats.com, dtcf4s9tapfr0.cloudfront.net, github.com, golstatsimages.blob.core.windows.net, kefloixzy1.execute-api.us-west-2.amazonaws.com, qyyibs1w0d.execute-api.us-west-2.amazonaws.com, ts7thxzaik.execute-api.us-west-2.amazonaws.com, www.w3.org, yjeig444bb.execute-api.us-west-2.amazonaws.com

Source & flagged code

12 flagged · loading source
dist/index-b3841b9d.jsView file
932patternName = supabase_service_key severity = critical line = 932 matchedText = default:...4YE"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index-b3841b9d.jsView on unpkg · L932
932patternName = supabase_service_key severity = critical line = 932 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L932
5775patternName = supabase_service_key severity = critical line = 5775 matchedText = const L1...1]);
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L5775
5893patternName = supabase_service_key severity = critical line = 5893 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L5893
8326patternName = supabase_service_key severity = critical line = 8326 matchedText = const t ... = {
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L8326
8716patternName = supabase_service_key severity = critical line = 8716 matchedText = Authoriz...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L8716
10037patternName = supabase_service_key severity = critical line = 10037 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L10037
10684patternName = supabase_service_key severity = critical line = 10684 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L10684
12574patternName = supabase_service_key severity = critical line = 12574 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L12574
13872patternName = supabase_service_key severity = critical line = 13872 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-b3841b9d.js

dist/index-b3841b9d.jsView on unpkg · L13872
dist/gsc-filters.umd.cjsView file
1patternName = supabase_service_key severity = critical line = 1 matchedText = (functio...it(`
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-filters.umd.cjs

dist/gsc-filters.umd.cjsView on unpkg · L1
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-filters.umd.cjs

dist/gsc-filters.umd.cjsView on unpkg · L6

Findings

12 Critical1 Medium4 Low
CriticalCritical Secretdist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/index-b3841b9d.js
CriticalSecret Patterndist/gsc-filters.umd.cjs
CriticalSecret Patterndist/gsc-filters.umd.cjs
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License