registry  /  @segment/action-destinations  /  3.496.0

@segment/action-destinations@3.496.0

⚠ Under review

Destination Actions engine and definitions.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,304 file(s), 5.08 MB of source, external domains: a.klaviyo.com, accounts.google.com, accounts.snapchat.com, admin.listrak.com, ads-api.reddit.com, ads.microsoft.com, ads.nextdoor.com, ads.tiktok.com, adsapi.snapchat.com, advertising-api-eu.amazon.com, advertising-api-fe.amazon.com, advertising-api.amazon.com, altertable.ai, amplitude.com, analytex.userpilot.io, analytics.eu.amplitude.com, api-01.moengage.com, api-02.moengage.com, api-03.moengage.com, api-04.moengage.com, api-05.moengage.com, api-dashboard.getambee.com, api-dev.prodeology.com, api-eu.mixpanel.com, api-in.mixpanel.com, api-pls.outfunnel.com, api.altertable.ai, api.amazon.co.jp, api.amazon.co.uk, api.amazon.com, api.amplitude.com, api.appfit.io, api.attentivemobile.com, api.attio.com, api.avo.app, api.batch.com, api.blnd.ai, api.close.com, api.converscience.com, api.criteo.com, api.devrev.ai, api.dub.co, api.emarsys.net, api.encharge.io, api.eu.amplitude.com, api.eu.iterable.com, api.eu.sendgrid.com, api.fullstory.com, api.gameball.co, api.getcalliper.com

Source & flagged code

5 flagged · loading source
dist/destinations/kafka/utils.jsView file
84patternName = private_key_rsa severity = critical line = 84 matchedText = (ssl.key...-`),
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/destinations/kafka/utils.jsView on unpkg · L84
84patternName = private_key_rsa severity = critical line = 84 matchedText = (ssl.key...-`),
Critical
Secret Pattern

RSA private key in dist/destinations/kafka/utils.js

dist/destinations/kafka/utils.jsView on unpkg · L84
dist/destinations/facebook-custom-audiences/constants.jsView file
3exports.BASE_URL = exports.FACEBOOK_CUSTOM_AUDIENCE_JOURNEYS_FLAGON = exports.FACEBOOK_CUSTOM_AUDIENCE_FLAGON = exports.CANARY_API_VERSION = exports.API_VERSION = void 0; L4: const versioning_info_1 = require("./versioning-info"); L5: exports.API_VERSION = versioning_info_1.FACEBOOK_CUSTOM_AUDIENCES_API_VERSION;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/destinations/facebook-custom-audiences/constants.jsView on unpkg · L3
dist/destinations/vwo/utility.jsView file
33exports.hosts = { L34: US: 'https://dev.visualwebsiteoptimizer.com', L35: EU: 'https://dev.visualwebsiteoptimizer.com/eu01', ... L38: function uuidv5(name, namespace) { L39: const namespaceBuffer = Buffer.from(namespace.replace(/-/g, ''), 'hex'); L40: const nameBuffer = Buffer.from(name);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/destinations/vwo/utility.jsView on unpkg · L33
dist/destinations/linkedin-conversions/index.jsView file
8const constants_1 = require("./constants"); L9: const https_1 = __importDefault(require("https")); L10: const streamConversion_1 = __importDefault(require("./streamConversion")); ... L35: let res; L36: if (!process.env.ACTIONS_LINKEDIN_CONVERSIONS_CLIENT_ID) { L37: throw new actions_core_1.IntegrationError(`Missing client ID`, actions_core_1.ErrorCodes.OAUTH_REFRESH_FAILED, 500); ... L50: }, L51: body: new URLSearchParams({ L52: refresh_token: auth.refreshToken,
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/destinations/linkedin-conversions/index.jsView on unpkg · L8

Findings

3 Critical3 Medium7 Low
CriticalCritical Secretdist/destinations/kafka/utils.js
CriticalCredential Exfiltrationdist/destinations/linkedin-conversions/index.js
CriticalSecret Patterndist/destinations/kafka/utils.js
MediumDynamic Requiredist/destinations/facebook-custom-audiences/constants.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/destinations/vwo/utility.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings