registry  /  @lystech/core  /  3.0.80

@lystech/core@3.0.80

⚠ Under review

Lystech Core contains essentials for lystech apps

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 2.12 MB of source, external domains: accounts.google.com, ant.design, api.github.com, apis.google.com, github.com, jedwatson.github.io, lysbunback-usgg4.ondigitalocean.app, lystech.firebaseio.com, momentjs.com, placehold.co, react-query.tanstack.com, reactjs.org, reactrouter.com, u.ant.design, www.google.com, www.paypal.com, www.sandbox.paypal.com, www.w3.org
Oversized source lightweight scan
dist/lystech-core-provider.es.js2.33 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsmomentjs.comreactjs.orgwww.google.comwww.paypal.comwww.sandbox.paypal.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lystech-core-provider.umd.jsView file
16* LICENSE file in the root directory of this source tree. L17: */var zg;function b8(){return zg||(zg=1,process.env.NODE_ENV!=="production"&&function(){var e=O,t=Symbol.for("react.element"),n=Symbol.for("react.portal"),r=Symbol.for("react.fragm... L18: `+q+Z}}var ae=!1,ie;{var _=typeof WeakMap=="function"?WeakMap:Map;ie=new _}function te(Z,Pe){if(!Z||ae)return"";{var De=ie.get(Z);if(De!==void 0)return De}var $e;ae=!0;var tt=Error... ... L20: `),yt=it.length-1,bt=Tt.length-1;yt>=1&&bt>=0&&it[yt]!==Tt[bt];)bt--;for(;yt>=1&&bt>=0;yt--,bt--)if(it[yt]!==Tt[bt]){if(yt!==1||bt!==1)do if(yt--,bt--,bt<0||it[yt]!==Tt[bt]){var Be... L21: `+it[yt].replace(" at new "," at ");return Z.displayName&&Be.includes("<anonymous>")&&(Be=Be.replace("<anonymous>",Z.displayName)),typeof Z=="function"&&ie.set(Z,Be),Be}while(yt>=1... L22: ... L59: * limitations under the License. L60: */const kg=function(e){const t=[];let n=0;for(let r=0;r<e.length;r++){let a=e.charCodeAt(r);a<128?t[n++]=a:a<2048?(t[n++]=a>>6|192,t[n++]=a&63|128):(a&64512)===55296&&r+1<e.length&... L61: * @license ... L374: * limitations under the License. L375: */function K4(e){_o(new Gi("platform-logger",t=>new o4(t),"PRIVATE")),_o(ne
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/lystech-core-provider.umd.jsView on unpkg · L16
16Trigger-reachable chain: manifest.main -> dist/lystech-core-provider.umd.js L16: * LICENSE file in the root directory of this source tree. L17: */var zg;function b8(){return zg||(zg=1,process.env.NODE_ENV!=="production"&&function(){var e=O,t=Symbol.for("react.element"),n=Symbol.for("react.portal"),r=Symbol.for("react.fragm... L18: `+q+Z}}var ae=!1,ie;{var _=typeof WeakMap=="function"?WeakMap:Map;ie=new _}function te(Z,Pe){if(!Z||ae)return"";{var De=ie.get(Z);if(De!==void 0)return De}var $e;ae=!0;var tt=Error... ... L20: `),yt=it.length-1,bt=Tt.length-1;yt>=1&&bt>=0&&it[yt]!==Tt[bt];)bt--;for(;yt>=1&&bt>=0;yt--,bt--)if(it[yt]!==Tt[bt]){if(yt!==1||bt!==1)do if(yt--,bt--,bt<0||it[yt]!==Tt[bt]){var Be... L21: `+it[yt].replace(" at new "," at ");return Z.displayName&&Be.includes("<anonymous>")&&(Be=Be.replace("<anonymous>",Z.displayName)),typeof Z=="function"&&ie.set(Z,Be),Be}while(yt>=1... L22: ... L59: * limitations under the License. L60: */const kg=function(e){const t=[];let n=0;for(let r=0;r<e.length;r++){let a=e.charCodeAt(r);a<128?t[n++]=a:a<2048?(t[n++]=a>>6|192,t[n++]=a&63|128):(a&64512)===55296&&r+1<e.length&... L61: * @license ... L374: * limitations under the License. L375…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lystech-core-provider.umd.jsView on unpkg · L16
1718patternName = google_api_key severity = high line = 1718 matchedText = }`;funct...en:`
High
High Secret

Package contains a high-severity secret pattern.

dist/lystech-core-provider.umd.jsView on unpkg · L1718
1718patternName = google_api_key severity = high line = 1718 matchedText = }`;funct...en:`
High
Secret Pattern

Google API key in dist/lystech-core-provider.umd.js

dist/lystech-core-provider.umd.jsView on unpkg · L1718
dist/lystech-core-provider.es.jsView file
path = dist/lystech-core-provider.es.js kind = oversized_source_file sizeBytes = 2439852 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/lystech-core-provider.es.jsView on unpkg

Findings

2 Critical4 High4 Medium4 Low
CriticalCredential Exfiltrationdist/lystech-core-provider.umd.js
CriticalTrigger Reachable Dangerous Capabilitydist/lystech-core-provider.umd.js
HighInstall Time Lifecycle Scriptspackage.json
HighHigh Secretdist/lystech-core-provider.umd.js
HighOversized Source Filedist/lystech-core-provider.es.js
HighSecret Patterndist/lystech-core-provider.umd.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings