registry  /  @mohasinac/appkit  /  3.1.2

@mohasinac/appkit@3.1.2

Internal component library and server toolkit for the LetItRip collectibles marketplace.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,999 file(s), 7.42 MB of source, external domains: accounts.google.com, adnetwork.example, api.razorpay.com, api.twilio.com, apiv2.shiprocket.in, beyblade.takaratomy.co.jp, brand.com, cdn.example-ads.com, chat.whatsapp.com, en.bushiroad.com, example.com, facebook.com, github.com, graph.facebook.com, images.unsplash.com, images.ygoprodeck.com, img.youtube.com, instagram.com, kaibacorp.jp, kaiyodo.co.jp, letitrip.in, linkedin.com, maps.google.com, maps.googleapis.com, mcfarlane.com, open.tiktokapis.com, picsum.photos, pinterest.com, pokemonpalace.in, schema.org, search.google.com, shiprocket.co, storage.googleapis.com, tamashiinations.com, tokyotoys.in, twitter.com, upload.wikimedia.org, wa.me, www.bandai.co.jp, www.bandaispirits.co.jp, www.beckett.com, www.deviantart.com, www.facebook.com, www.funko.com, www.goodsmile.info, www.hasbro.com, www.instagram.com, www.konami.com, www.kotobukiya.co.jp, www.letitrip.in

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/dedupe-peer-deps.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/features/auth/auth-helpers.jsView file
26patternName = generic_password severity = medium line = 26 matchedText = password...rd",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/features/auth/auth-helpers.jsView on unpkg · L26
dist/cli/index.jsView file
116// Opaque dynamic import — prevents bundlers from statically analysing the path L117: const _dynamicImport = new Function("modulePath", "return import(modulePath)"); L118: function deepMerge(a, b) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index.jsView on unpkg · L116
dist/security/settings-encryption.jsView file
1// crypto is a Node.js built-in. Use require() to keep it out of the static L2: // import graph so Next.js Edge bundler does not warn about this file.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/security/settings-encryption.jsView on unpkg · L1
scripts/seed-cli.mjsView file
437patternName = generic_password severity = medium line = 437 matchedText = await au... });
Medium
Secret Pattern

Hardcoded password in scripts/seed-cli.mjs

scripts/seed-cli.mjsView on unpkg · L437

Findings

1 High6 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumSecret Patterndist/features/auth/auth-helpers.js
MediumDynamic Requiredist/security/settings-encryption.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternscripts/seed-cli.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings