registry  /  @smartledger/bsv  /  6.2.2

@smartledger/bsv@6.2.2

🚀 Complete Bitcoin SV development framework with legally-recognizable DID:web + W3C VC-JWT toolkit, Legal Token Protocol (LTP), Global Digital Attestation Framework (GDAF), StatusList2021 revocation, and 16 flexible loading options. Standards-based crede

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindings
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 165 file(s), 9.19 MB of source, external domains: bsv.io, docs.moneybutton.com, github.com, smartledger.technology, w3id.org, www.w3.org

Source & flagged code

5 flagged · loading source
bsv-statuslist.min.jsView file
10`)+" "+e.join(`, L11: `)+" "+r[1]:r[0]+t+" "+e.join(", ")+" "+r[1]}Ue.types=ny();function uy(e){return Array.isArray(e)}Ue.isArray=uy;function Zl(e){return typeof e=="boolean"}Ue.isBoolean=Zl;function $... L12: this._initNamed(entity);
Low
Eval

Package source references a known benign dynamic code generation pattern.

bsv-statuslist.min.jsView on unpkg · L10
lib/crypto/hash.node.jsView file
11* See: L12: * https://en.wikipedia.org/wiki/SHA-1 L13: *
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/crypto/hash.node.jsView on unpkg · L11
bsv-smartcontract.min.jsView file
1var bsvSmartContract=(()=>{var xf=Object.create;var Fn=Object.defineProperty;var yf=Object.getOwnPropertyDescriptor;var wf=Object.getOwnPropertyNames;var bf=Object.getPrototypeOf,S... L2: `)};tt.prototype._generateLeftExtractionASM=function(t,e){var r=[{name:"nVersion",len:4,offset:0},{name:"hashPrevouts",len:32,offset:4},{name:"hashSequence",len:32,offset:36},{name... ... L4: `)};tt.prototype._generateScriptLenExtractionASM=function(t,e){return["# \u{1F3AF} Extract scriptLen CompactSize varint ("+t.scriptLenSize+" bytes)","104 OP_SPLIT # Skip... L5: `)};tt.prototype._extractSpecificField=function(t,e){var r=e[t];return r?E.Buffer.from(r,"hex"):null};tt.prototype._interpretField=function(t,e,r){if(!e)return null;var n={raw:e.to... L6: `),Object.keys(t.wallets).length>0&&(Bt("\u{1F45B} Registered Wallets:"),Object.entries(t.wallets).forEach(([e,r])=>{Bt(` ${e}: ${r.utxos.length} UTXOs, ${r.totalValue} sats`)})),... ... L16: \u{1F9E9} Step ${A+1}: ${Te.Opcode.reverseMap[O.opcodenum]||"PUSH"}`),console.log("Stack:",Ln(x.stack)),console.log("AltStack:",Ln(x.altstack))}catch(T){console.log(`\u26A0\uFE0F E... L17: ===========================================`),console.log(
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

bsv-smartcontract.min.jsView on unpkg · L1
test/data/blk86756-testnet.datView file
•path = test/data/blk86756-testnet.dat kind = high_entropy_blob sizeBytes = 9500 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

test/data/blk86756-testnet.datView on unpkg
•path = test/data/blk86756-testnet.dat kind = payload_in_excluded_dir sizeBytes = 9500 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

test/data/blk86756-testnet.datView on unpkg

Findings

4 High3 Medium8 Low
HighObfuscated Payload Loaderbsv-smartcontract.min.js
HighObfuscated
HighShips High Entropy Blobtest/data/blk86756-testnet.dat
HighPayload In Excluded Dirtest/data/blk86756-testnet.dat
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalbsv-statuslist.min.js
LowWeak Cryptolib/crypto/hash.node.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings