registry  /  @inkeep/open-knowledge  /  0.28.2

@inkeep/open-knowledge@0.28.2

⚠ Under review

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 23 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 567 file(s), 17.2 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, bun.sh, cdn.jsdelivr.net, chevrotain.io, claude.com, cscott.net, cursor.com, developers.openai.com, discord.com, docs.claude.com, docs.github.com, docs.orama.com, en.wikipedia.org, example.com, fb.me, foo.bar, git-scm.com, github.com, gnu.org, html.spec.whatwg.org, json-schema.org, landley.net, langium.org, openai.com, opencode.ai, openknowledge.ai, pi.dev, placeholder.invalid, placeholder.local, player.vimeo.com, prosemirror.net, radix-ui.com, react.dev, uploads.github.com, vimeo.com, www.ibm.com, www.loom.com, www.w3.org, x.com
Oversized source lightweight scan
dist/dist-AMcKbNor.mjs2.68 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsMinifiedUrlStringsapi.github.com
dist/public/assets/pdf.worker-B1D2UnXD.mjs2.06 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireUrlStringsexample.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib-CCQO9uWA.mjsView file
39patternName = private_key_rsa severity = critical line = 39 matchedText = -----END...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/lib-CCQO9uWA.mjsView on unpkg · L39
39patternName = private_key_rsa severity = critical line = 39 matchedText = -----END...----
Critical
Secret Pattern

RSA private key in dist/lib-CCQO9uWA.mjs

dist/lib-CCQO9uWA.mjsView on unpkg · L39
dist/native/index.jsView file
5L6: const { readFileSync } = require('fs') L7: let nativeBinding = null
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/native/index.jsView on unpkg · L5
dist/chunk-6Z5SFZXK-C3WlMqq-.mjsView file
116contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/chunk-6Z5SFZXK-C3WlMqq-.mjsView on unpkg · L116
dist/native/native-config.linux-arm64-musl.nodeView file
path = dist/native/native-config.linux-arm64-musl.node kind = native_binary sizeBytes = 796488 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/native/native-config.linux-arm64-musl.nodeView on unpkg
dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/public/assets/pdf.worker-B1D2UnXD.mjsView file
path = dist/public/assets/pdf.worker-B1D2UnXD.mjs kind = oversized_source_file sizeBytes = 2161149 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/public/assets/pdf.worker-B1D2UnXD.mjsView on unpkg
dist/git-handle-B4hCEi7c-CXOP12Ds.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @inkeep/open-knowledge@0.22.0 matchedIdentity = npm:QGlua2VlcC9vcGVuLWtub3dsZWRnZQ:0.22.0 similarity = 0.642 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/git-handle-B4hCEi7c-CXOP12Ds.mjsView on unpkg

Findings

3 Critical4 High7 Medium9 Low
CriticalCritical Secretdist/lib-CCQO9uWA.mjs
CriticalTrojan Source Unicodedist/chunk-6Z5SFZXK-C3WlMqq-.mjs
CriticalSecret Patterndist/lib-CCQO9uWA.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist/public/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/public/assets/pdf.worker-B1D2UnXD.mjs
HighPrevious Version Dangerous Deltadist/git-handle-B4hCEi7c-CXOP12Ds.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/native/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binarydist/native/native-config.linux-arm64-musl.node
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License