registry  /  @lystech/core  /  3.0.81

@lystech/core@3.0.81

⚠ Under review

Lystech Core contains essentials for lystech apps

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 2.15 MB of source, external domains: accounts.google.com, ant.design, api.github.com, apis.google.com, github.com, jedwatson.github.io, lysbunback-usgg4.ondigitalocean.app, lystech.firebaseio.com, momentjs.com, placehold.co, react-query.tanstack.com, reactjs.org, reactrouter.com, u.ant.design, www.google.com, www.paypal.com, www.sandbox.paypal.com, www.w3.org
Oversized source lightweight scan
dist/lystech-core-provider.es.js2.37 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsmomentjs.comreactjs.orgwww.google.comwww.paypal.comwww.sandbox.paypal.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lystech-core-provider.umd.jsView file
16* LICENSE file in the root directory of this source tree. L17: */var c0;function s4(){return c0||(c0=1,process.env.NODE_ENV!=="production"&&function(){var e=O,t=Symbol.for("react.element"),n=Symbol.for("react.portal"),r=Symbol.for("react.fragm... L18: `+$+Z}}var oe=!1,se;{var X=typeof WeakMap=="function"?WeakMap:Map;se=new X}function ae(Z,Ie){if(!Z||oe)return"";{var Le=se.get(Z);if(Le!==void 0)return Le}var Ve;oe=!0;var it=Error... ... L20: `),xt=dt.length-1,At=Ht.length-1;xt>=1&&At>=0&&dt[xt]!==Ht[At];)At--;for(;xt>=1&&At>=0;xt--,At--)if(dt[xt]!==Ht[At]){if(xt!==1||At!==1)do if(xt--,At--,At<0||dt[xt]!==Ht[At]){var Ue... L21: `+dt[xt].replace(" at new "," at ");return Z.displayName&&Ue.includes("<anonymous>")&&(Ue=Ue.replace("<anonymous>",Z.displayName)),typeof Z=="function"&&se.set(Z,Ue),Ue}while(xt>=1... L22: ... L59: * limitations under the License. L60: */const u0=function(e){const t=[];let n=0;for(let r=0;r<e.length;r++){let a=e.charCodeAt(r);a<128?t[n++]=a:a<2048?(t[n++]=a>>6|192,t[n++]=a&63|128):(a&64512)===55296&&r+1<e.length&... L61: * @license ... L374: * limitations under the License. L375: */function LO(e){fs(new ai("platform-logger",t=>new X4(t),"PRIVATE")),fs(ne
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/lystech-core-provider.umd.jsView on unpkg · L16
16Trigger-reachable chain: manifest.main -> dist/lystech-core-provider.umd.js L16: * LICENSE file in the root directory of this source tree. L17: */var c0;function s4(){return c0||(c0=1,process.env.NODE_ENV!=="production"&&function(){var e=O,t=Symbol.for("react.element"),n=Symbol.for("react.portal"),r=Symbol.for("react.fragm... L18: `+$+Z}}var oe=!1,se;{var X=typeof WeakMap=="function"?WeakMap:Map;se=new X}function ae(Z,Ie){if(!Z||oe)return"";{var Le=se.get(Z);if(Le!==void 0)return Le}var Ve;oe=!0;var it=Error... ... L20: `),xt=dt.length-1,At=Ht.length-1;xt>=1&&At>=0&&dt[xt]!==Ht[At];)At--;for(;xt>=1&&At>=0;xt--,At--)if(dt[xt]!==Ht[At]){if(xt!==1||At!==1)do if(xt--,At--,At<0||dt[xt]!==Ht[At]){var Ue... L21: `+dt[xt].replace(" at new "," at ");return Z.displayName&&Ue.includes("<anonymous>")&&(Ue=Ue.replace("<anonymous>",Z.displayName)),typeof Z=="function"&&se.set(Z,Ue),Ue}while(xt>=1... L22: ... L59: * limitations under the License. L60: */const u0=function(e){const t=[];let n=0;for(let r=0;r<e.length;r++){let a=e.charCodeAt(r);a<128?t[n++]=a:a<2048?(t[n++]=a>>6|192,t[n++]=a&63|128):(a&64512)===55296&&r+1<e.length&... L61: * @license ... L374: * limitations under the License. L375…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lystech-core-provider.umd.jsView on unpkg · L16
1718patternName = google_api_key severity = high line = 1718 matchedText = }`;funct...nce.
High
High Secret

Package contains a high-severity secret pattern.

dist/lystech-core-provider.umd.jsView on unpkg · L1718
1718patternName = google_api_key severity = high line = 1718 matchedText = }`;funct...nce.
High
Secret Pattern

Google API key in dist/lystech-core-provider.umd.js

dist/lystech-core-provider.umd.jsView on unpkg · L1718
dist/lystech-core-provider.es.jsView file
path = dist/lystech-core-provider.es.js kind = oversized_source_file sizeBytes = 2480651 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/lystech-core-provider.es.jsView on unpkg

Findings

2 Critical4 High4 Medium5 Low
CriticalCredential Exfiltrationdist/lystech-core-provider.umd.js
CriticalTrigger Reachable Dangerous Capabilitydist/lystech-core-provider.umd.js
HighInstall Time Lifecycle Scriptspackage.json
HighHigh Secretdist/lystech-core-provider.umd.js
HighOversized Source Filedist/lystech-core-provider.es.js
HighSecret Patterndist/lystech-core-provider.umd.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings