registry  /  @redhat-cloud-services/frontend-components-config  /  6.12.0

@redhat-cloud-services/frontend-components-config@6.12.0

Config plugins and settings for RedHat Cloud Services project.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 94.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 114 KB of source, external domains: app-interface.apps.rosa.appsrep09ue1.03r5.p3.openshiftapps.com, github.com, raw.githubusercontent.com, squid.corp.redhat.com

Source & flagged code

4 flagged · loading source
bin/build-script.jsView file
6var path_1 = require("path"); L7: var child_process_1 = require("child_process"); L8: function buildScript(argv, cwd) {
High
Child Process

Package source references child process execution.

bin/build-script.jsView on unpkg · L6
17process.env.NODE_ENV = 'production'; L18: var subprocess = (0, child_process_1.spawn)("npm exec -- webpack -c ".concat(configPath), [], { L19: stdio: [process.stdout, process.stdout, process.stdout],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/build-script.jsView on unpkg · L17
bin/webpack.plugins.jsView file
23Object.defineProperty(exports, "__esModule", { value: true }); L24: var frontend_components_config_utilities_1 = require("@redhat-cloud-services/frontend-components-config-utilities"); L25: var rootDir = process.env.FEC_ROOT_DIR || process.cwd();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/webpack.plugins.jsView on unpkg · L23
bin/dev-proxy-script.jsView file
matchType = malicious_source_fingerprint_signature signature = 0adcae2f9652ff5e signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = @redhat-cloud-services/frontend-components-config@6.11.3 matchedPath = bin/dev-proxy-script.js matchedIdentity = npm:[redacted]:6.11.3 similarity = 1.000 shingleOverlap = 15 summary = Datadog malicious npm corpus sample: samples/npm/compromised_lib/@redhat-cloud-services@frontend-components-config/6.11.3/2026-06-01-@redhat-cloud-services_frontend-components-config-v6.11.3.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin/dev-proxy-script.jsView on unpkg

Findings

4 High4 Medium3 Low
HighChild Processbin/build-script.js
HighShell
HighRuntime Package Installbin/build-script.js
HighKnown Malware Source Fingerprint Signaturebin/dev-proxy-script.js
MediumDynamic Requirebin/webpack.plugins.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings