registry  /  @golstats/gsc-filters  /  1.1.3

@golstats/gsc-filters@1.1.3

Componente filtros

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue filters component that can call GolStats-related APIs when its components/helpers are used at runtime.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports/uses the Vue components or exported fetch helpers in a browser app.
Impact
Expected remote data loading; no install-time execution, persistence, credential harvesting, or unconsented mutation found.
Mechanism
package-aligned API/image data fetching with Authorization headers
Rationale
Static inspection shows a bundled Vue UI library with expected GolStats API/image fetching and a default token fallback, but no lifecycle execution, filesystem mutation, persistence, shell execution, or exfiltration behavior. The scanner's secret/network signals are explained by package-aligned runtime API access.
Evidence
package.jsonREADME.mddist/gsc-filters.jsdist/gsc-filters.umd.cjsdist/index-02e7b53b.jsdist/FilterField-0f3013eb.jsdist/FilterSubcategories-4c69ac5b.jsdist/FilterConditions-33ce2100.js
Network endpoints10
golstatsimages.blob.core.windows.netapis.golstats.comdev-apis.golstats.comts7thxzaik.execute-api.us-west-2.amazonaws.comqyyibs1w0d.execute-api.us-west-2.amazonaws.comkefloixzy1.execute-api.us-west-2.amazonaws.com2gfppi9wb6.execute-api.us-east-2.amazonaws.comyjeig444bb.execute-api.us-west-2.amazonaws.coma3tmmmjdaj.execute-api.us-east-2.amazonaws.comexample-api.golstats.com

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index-02e7b53b.js contains runtime fetch/axios calls with Authorization headers.
  • dist/index-02e7b53b.js includes a hardcoded default GolStats JWT-like token and reads localStorage user_token/token.
  • dist/index-02e7b53b.js has package-aligned API/image URLs under golstats.com, execute-api.amazonaws.com, and blob storage.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hooks or bin entry.
  • Entrypoints dist/gsc-filters.js and dist/gsc-filters.umd.cjs are Vue component/library bundles.
  • No child_process, fs writes, eval/Function, native loading, persistence, or AI-agent control-surface writes found.
  • Network use is tied to UI data loading for tournaments, templates, players, videos, images, and exported fetch helpers.
  • Default token appears to be a GolStats free-user fallback, not a harvested secret or exfil target.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 6 file(s), 1.54 MB of source, external domains: 2gfppi9wb6.execute-api.us-east-2.amazonaws.com, a3tmmmjdaj.execute-api.us-east-2.amazonaws.com, apis.golstats.com, dev-apis.golstats.com, example-api.golstats.com, github.com, golstatsimages.blob.core.windows.net, kefloixzy1.execute-api.us-west-2.amazonaws.com, qyyibs1w0d.execute-api.us-west-2.amazonaws.com, ts7thxzaik.execute-api.us-west-2.amazonaws.com, www.w3.org, yjeig444bb.execute-api.us-west-2.amazonaws.com

Source & flagged code

11 flagged · loading source
dist/index-02e7b53b.jsView file
932patternName = supabase_service_key severity = critical line = 932 matchedText = default:...4YE"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index-02e7b53b.jsView on unpkg · L932
932patternName = supabase_service_key severity = critical line = 932 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L932
5775patternName = supabase_service_key severity = critical line = 5775 matchedText = const L1...1]);
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L5775
5893patternName = supabase_service_key severity = critical line = 5893 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L5893
8716patternName = supabase_service_key severity = critical line = 8716 matchedText = Authoriz...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L8716
10021patternName = supabase_service_key severity = critical line = 10021 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L10021
10668patternName = supabase_service_key severity = critical line = 10668 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L10668
12557patternName = supabase_service_key severity = critical line = 12557 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L12557
13855patternName = supabase_service_key severity = critical line = 13855 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-02e7b53b.js

dist/index-02e7b53b.jsView on unpkg · L13855
dist/gsc-filters.umd.cjsView file
1patternName = supabase_service_key severity = critical line = 1 matchedText = (functio...it(`
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-filters.umd.cjs

dist/gsc-filters.umd.cjsView on unpkg · L1
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-filters.umd.cjs

dist/gsc-filters.umd.cjsView on unpkg · L6

Findings

11 Critical1 Medium4 Low
CriticalCritical Secretdist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/index-02e7b53b.js
CriticalSecret Patterndist/gsc-filters.umd.cjs
CriticalSecret Patterndist/gsc-filters.umd.cjs
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License