registry  /  @iblai/iblai-js  /  1.22.2

@iblai/iblai-js@1.22.2

⚠ Under review

Unified JavaScript SDK for IBL.ai — re-exports data-layer, web-containers, and web-utils under a single package

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 975 KB of source, external domains: apis.google.com, conradmugabe.vercel.app, github.com, js.live.net, mailsac.com, www.dropbox.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/web-containers/source/index.esm.js8.68 MB file, sampled 256 KB
HighEntropyStringsUrlStringsapis.google.comgithub.comjs.live.netwww.dropbox.comwww.googleapis.com
dist/web-containers/source/next/index.esm.js12.3 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsUrlStringsgithub.comwww.w3.org

Source & flagged code

6 flagged · loading source
dist/playwright/index.esm.jsView file
3import winston from 'winston'; L4: import axios from 'axios'; L5: import AxeBuilder from '@axe-core/playwright'; ... L7: const logger = winston.createLogger({ L8: level: process.env.CI ? 'silent' : 'info', L9: format: winston.format.combine(winston.format.colorize(), winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }), winston.format.printf((info) => { ... L177: try { L178: JSON.parse(value); L179: return true; ... L298: // Fill in Password field L299: const passwordInputField = page.getByPlaceholder('Password', { L300: exact: true,
Critical
Browser Credential Phishing

Source appears to collect browser login credentials for exfiltration.

dist/playwright/index.esm.jsView on unpkg · L3
3Trigger-reachable chain: manifest.exports -> dist/playwright/index.esm.js L3: import winston from 'winston'; L4: import axios from 'axios'; L5: import AxeBuilder from '@axe-core/playwright'; ... L7: const logger = winston.createLogger({ L8: level: process.env.CI ? 'silent' : 'info', L9: format: winston.format.combine(winston.format.colorize(), winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }), winston.format.printf((info) => { ... L177: try { L178: JSON.parse(value); L179: return true; ... L298: // Fill in Password field L299: const passwordInputField = page.getByPlaceholder('Password', { L300: exact: true,
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/playwright/index.esm.jsView on unpkg · L3
275patternName = generic_password severity = medium line = 275 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/playwright/index.esm.jsView on unpkg · L275
bin/ibl-mcp-server.jsView file
6// Resolve @iblai/mcp from this package's dependency tree L7: const require = createRequire(import.meta.url); L8: const mcpEntry = require.resolve('@iblai/mcp');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/ibl-mcp-server.jsView on unpkg · L6
dist/web-containers/source/next/index.esm.jsView file
path = dist/web-containers/source/next/index.esm.js kind = oversized_source_file sizeBytes = 12896598 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/web-containers/source/next/index.esm.jsView on unpkg
dist/playwright/index.cjsView file
276patternName = generic_password severity = medium line = 276 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/playwright/index.cjs

dist/playwright/index.cjsView on unpkg · L276

Findings

2 Critical1 High6 Medium3 Low
CriticalBrowser Credential Phishingdist/playwright/index.esm.js
CriticalTrigger Reachable Dangerous Capabilitydist/playwright/index.esm.js
HighOversized Source Filedist/web-containers/source/next/index.esm.js
MediumSecret Patterndist/playwright/index.esm.js
MediumDynamic Requirebin/ibl-mcp-server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/playwright/index.cjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings