registry  /  @kostnytte/excalidraw  /  0.18.1-praksis.7

@kostnytte/excalidraw@0.18.1-praksis.7

Excalidraw as a React component

Static Scan Results

scanned 19h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 9.80 MB of source, external domains: app.excalidraw.com, discord.gg, docs.excalidraw.com, embed.reddit.com, esm.sh, excalidraw-room-persistence.firebaseio.com, giphy.com, gist.github.com, github.com, json-dev.excalidraw.com, json.excalidraw.com, libraries.excalidraw.com, mermaid.js.org, oss-ai.excalidraw.com, oss-collab.excalidraw.com, platform.twitter.com, player.vimeo.com, plus.excalidraw.com, reddit.com, twitter.com, us-central1-excalidraw-room-persistence.cloudfunctions.net, www.figma.com, www.w3.org, www.youtube.com, x.com, youtube.com

Source & flagged code

7 flagged · loading source
dist/prod/chunk-EIO257PC.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,d.push... d};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/prod/chunk-EIO257PC.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,d.push... d};
Critical
Secret Pattern

AWS access key ID in dist/prod/chunk-EIO257PC.js

dist/prod/chunk-EIO257PC.jsView on unpkg · L22
1import{a as Qg}from"./chunk-SRAX5OIU.js";var GQ=(()=>{let F=new Uint8Array(128);for(let L=0;L<64;L++)F[L<26?L+65:L<52?L+71:L<62?L-4:L*4-205]=L;return L=>{let I=L.length,y=new Uint8... L2: ${I.extraStackTrace()}`),HI(A)}function dI(A,g,C,Q){w(`Assertion failed: ${T(A)}, at: ${[g?T(g):"unknown filename",C,Q?T(Q):"unknown function"]}`)}function ZI(A){return MA(A)}let t... L3: "use strict"; return body.apply(this, arguments);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/prod/chunk-EIO257PC.jsView on unpkg · L1
dist/prod/fonts/Assistant/Assistant-Bold.woff2View file
path = [redacted]-Bold.woff2 kind = high_entropy_blob sizeBytes = 20380 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/prod/fonts/Assistant/Assistant-Bold.woff2View on unpkg
dist/prod/chunk-QOA62N65.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = var c={V...AZZX
High
Secret Pattern

Google API key in dist/prod/chunk-QOA62N65.js

dist/prod/chunk-QOA62N65.jsView on unpkg · L1
dist/dev/chunk-IA3Z6TSF.jsView file
2patternName = google_api_key severity = high line = 2 matchedText = var defi...e };
High
Secret Pattern

Google API key in dist/dev/chunk-IA3Z6TSF.js

dist/dev/chunk-IA3Z6TSF.jsView on unpkg · L2
dist/dev/chunk-OKSO7T74.jsView file
3928patternName = aws_access_key severity = critical line = 3928 matchedText = var harf...=`);
Critical
Secret Pattern

AWS access key ID in dist/dev/chunk-OKSO7T74.js

dist/dev/chunk-OKSO7T74.jsView on unpkg · L3928

Findings

3 Critical3 High3 Medium6 Low
CriticalCritical Secretdist/prod/chunk-EIO257PC.js
CriticalSecret Patterndist/prod/chunk-EIO257PC.js
CriticalSecret Patterndist/dev/chunk-OKSO7T74.js
HighShips High Entropy Blobdist/prod/fonts/Assistant/Assistant-Bold.woff2
HighSecret Patterndist/prod/chunk-QOA62N65.js
HighSecret Patterndist/dev/chunk-IA3Z6TSF.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/prod/chunk-EIO257PC.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings