registry  /  @juspay/neurolink  /  9.81.1

@juspay/neurolink@9.81.1

⚠ Under review

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,517 file(s), 17.6 MB of source, external domains: 127.0.0.1, accounts.google.com, aiplatform.googleapis.com, aistudio.google.com, api-inference.huggingface.co, api.anthropic.com, api.arize.com, api.braintrust.dev, api.cartesia.ai, api.clerk.com, api.cloudflare.com, api.cohere.com, api.d-id.com, api.datadoghq.com, api.deepgram.com, api.deepseek.com, api.dev.runwayml.com, api.elevenlabs.io, api.fireworks.ai, api.fish.audio, api.groq.com, api.heygen.com, api.ideogram.ai, api.jina.ai, api.laminar.run, api.mistral.ai, api.openai.com, api.openrouter.ai, api.perplexity.ai, api.piapi.ai, api.replicate.com, api.smith.langchain.com, api.stability.ai, api.together.xyz, api.voyageai.com, api.workos.com, api.x.ai, app.posthog.com, auth0.com, aws.amazon.com, bedrock-runtime.us-east-1.amazonaws.com, better-auth.com, build.nvidia.com, cdn.jsdelivr.net, claude.ai, clerk.com, clerk.dev, cloud.google.com, cloud.langfuse.com, console.anthropic.com
Oversized source lightweight scan
dist/browser/neurolink.min.js4.75 MB file, sampled 256 KB
EnvironmentVarsEvalHighEntropyStringsMinifiedProtestware

Source & flagged code

12 flagged · loading source
dist/utils/providerConfig.jsView file
715patternName = private_key_rsa severity = critical line = 715 matchedText = "GOOGLE_.....",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/utils/providerConfig.jsView on unpkg · L715
715patternName = private_key_rsa severity = critical line = 715 matchedText = "GOOGLE_.....",
Critical
Secret Pattern

RSA private key in dist/utils/providerConfig.js

dist/utils/providerConfig.jsView on unpkg · L715
dist/auth/sessionManager.jsView file
120const moduleName = "redis"; L121: const redisModule = (await import( L122: /* @vite-ignore */ moduleName));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/auth/sessionManager.jsView on unpkg · L120
dist/providers/googleVertex.jsView file
304const getVertexLocation = () => { L305: return (process.env.GOOGLE_CLOUD_LOCATION || L306: process.env.VERTEX_LOCATION || ... L359: (process.env.GOOGLE_AUTH_CLIENT_EMAIL && L360: process.env.GOOGLE_AUTH_PRIVATE_KEY)); L361: }; ... L398: location, L399: fetch: createProxyFetch(), L400: }; ... L1032: else { L1033: // Assume it's already base64 encoded L1034: pdfBuffer = Buffer.from(pdfFile, "base64");
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/providers/googleVertex.jsView on unpkg · L304
scripts/observability/manage-local-openobserve.shView file
path = scripts/observability/manage-local-openobserve.sh kind = build_helper sizeBytes = 7309 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/observability/manage-local-openobserve.shView on unpkg
dist/browser/neurolink.min.jsView file
path = dist/browser/neurolink.min.js kind = oversized_source_file sizeBytes = 4978480 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/browser/neurolink.min.jsView on unpkg
dist/utils/conversationMemory.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @juspay/neurolink@9.80.3 matchedIdentity = npm:QGp1c3BheS9uZXVyb2xpbms:9.80.3 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/utils/conversationMemory.jsView on unpkg
dist/processors/errors/errorSerializer.jsView file
471patternName = generic_password severity = medium line = 471 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/processors/errors/errorSerializer.js

dist/processors/errors/errorSerializer.jsView on unpkg · L471
dist/processors/errors/errorSerializer.d.tsView file
75patternName = generic_password severity = medium line = 75 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/processors/errors/errorSerializer.d.ts

dist/processors/errors/errorSerializer.d.tsView on unpkg · L75
dist/lib/utils/providerConfig.jsView file
715patternName = private_key_rsa severity = critical line = 715 matchedText = "GOOGLE_.....",
Critical
Secret Pattern

RSA private key in dist/lib/utils/providerConfig.js

dist/lib/utils/providerConfig.jsView on unpkg · L715
dist/lib/processors/errors/errorSerializer.jsView file
471patternName = generic_password severity = medium line = 471 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/lib/processors/errors/errorSerializer.js

dist/lib/processors/errors/errorSerializer.jsView on unpkg · L471
dist/lib/processors/errors/errorSerializer.d.tsView file
75patternName = generic_password severity = medium line = 75 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/lib/processors/errors/errorSerializer.d.ts

dist/lib/processors/errors/errorSerializer.d.tsView on unpkg · L75

Findings

5 Critical1 High10 Medium7 Low
CriticalCritical Secretdist/utils/providerConfig.js
CriticalCredential Exfiltrationdist/providers/googleVertex.js
CriticalPrevious Version Dangerous Deltadist/utils/conversationMemory.js
CriticalSecret Patterndist/utils/providerConfig.js
CriticalSecret Patterndist/lib/utils/providerConfig.js
HighOversized Source Filedist/browser/neurolink.min.js
MediumDynamic Requiredist/auth/sessionManager.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperscripts/observability/manage-local-openobserve.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/processors/errors/errorSerializer.js
MediumSecret Patterndist/processors/errors/errorSerializer.d.ts
MediumSecret Patterndist/lib/processors/errors/errorSerializer.js
MediumSecret Patterndist/lib/processors/errors/errorSerializer.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings