registry  /  @inkeep/open-knowledge  /  0.21.0

@inkeep/open-knowledge@0.21.0

⚠ Under review

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 26 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 530 file(s), 16.9 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, bun.sh, cdn.jsdelivr.net, chevrotain.io, claude.com, cscott.net, cursor.com, developers.openai.com, docs.claude.com, docs.github.com, docs.orama.com, en.wikipedia.org, example.com, fb.me, foo.bar, github.com, gnu.org, html.spec.whatwg.org, json-schema.org, landley.net, langium.org, openai.com, opencode.ai, openknowledge.ai, placeholder.invalid, player.vimeo.com, prosemirror.net, radix-ui.com, react.dev, uploads.github.com, www.ibm.com, www.loom.com, www.w3.org
Oversized source lightweight scan
dist/dist-1VwAWeko.mjs2.65 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsMinifiedUrlStringsapi.github.com
dist/public/assets/pdf.worker-B1D2UnXD.mjs2.06 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireUrlStringsexample.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib-CItGM3rN.mjsView file
39patternName = private_key_rsa severity = critical line = 39 matchedText = -----END...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/lib-CItGM3rN.mjsView on unpkg · L39
39patternName = private_key_rsa severity = critical line = 39 matchedText = -----END...----
Critical
Secret Pattern

RSA private key in dist/lib-CItGM3rN.mjs

dist/lib-CItGM3rN.mjsView on unpkg · L39
scripts/probe-exec.tsView file
59console.log(` ${label}`); L60: console.log(` exec(${JSON.stringify(cmd)})`); L61: console.log('═══════════════════════════════════════════════════════════');
High
Child Process

Package source references child process execution.

scripts/probe-exec.tsView on unpkg · L59
dist/server-lock-CN2YHwpP-Ca8AKq_V.mjsView file
90contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/server-lock-CN2YHwpP-Ca8AKq_V.mjsView on unpkg · L90
dist/js-exec-M6UR76J5-Cu6NIWHE.mjsView file
28Cross-file remote execution chain: dist/js-exec-M6UR76J5-Cu6NIWHE.mjs spawns dist/chunk-5QMZ5MUS-BwpNU33k.mjs; helper contains network access plus dynamic code execution. L28: Available modules: L29: fs, path, child_process, process, console, L30: os, url, assert, util, events, buffer, stream, ... L43: child_process: L44: execSync(cmd) throws on non-zero exit, returns stdout L45: spawnSync(cmd, args) returns { stdout, stderr, status } ... L49: L50: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L51: EOL, cpus(), endianness() L52: L53: url: URL, URLSearchParams, parse(), format() L54:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-M6UR76J5-Cu6NIWHE.mjsView on unpkg · L28
dist/native/native-config.linux-arm64-musl.nodeView file
path = dist/native/native-config.linux-arm64-musl.node kind = native_binary sizeBytes = 796488 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/native/native-config.linux-arm64-musl.nodeView on unpkg
dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/public/assets/pdf.worker-B1D2UnXD.mjsView file
path = dist/public/assets/pdf.worker-B1D2UnXD.mjs kind = oversized_source_file sizeBytes = 2161149 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/public/assets/pdf.worker-B1D2UnXD.mjsView on unpkg
dist/start-BKBgmBrV.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @inkeep/open-knowledge@0.22.0 matchedIdentity = npm:QGlua2VlcC9vcGVuLWtub3dsZWRnZQ:0.22.0 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/start-BKBgmBrV.mjsView on unpkg

Findings

4 Critical6 High7 Medium9 Low
CriticalCritical Secretdist/lib-CItGM3rN.mjs
CriticalTrojan Source Unicodedist/server-lock-CN2YHwpP-Ca8AKq_V.mjs
CriticalPrevious Version Dangerous Deltadist/start-BKBgmBrV.mjs
CriticalSecret Patterndist/lib-CItGM3rN.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/probe-exec.ts
HighShell
HighCross File Remote Execution Contextdist/js-exec-M6UR76J5-Cu6NIWHE.mjs
HighShips High Entropy Blobdist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/public/assets/pdf.worker-B1D2UnXD.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarydist/native/native-config.linux-arm64-musl.node
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License