registry  /  @tmlmobilidade/emails  /  20260703.1345.26

@tmlmobilidade/emails@20260703.1345.26

⚠ Under review

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 33 file(s), 34.4 KB of source, external domains: go.tmlmobilidade.pt, outlook.office365.com, storage.carrismetropolitana.pt, www.tmlmobilidade.pt

Source & flagged code

2 flagged · loading source
dist/email.provider.jsView file
25// Check for required environment variables L26: if (!process.env.TML_PROVIDER_EMAIL_SERVER_HOST) L27: throw new Error('Missing required environment variable: TML_PROVIDER_EMAIL_SERVER_HOST'); ... L92: return this._refreshToken.token; L93: const requestBody = new URLSearchParams({ L94: client_id: process.env.TML_PROVIDER_EMAIL_AUTH_CLIENT_ID, ... L96: grant_type: 'client_credentials', L97: scope: 'https://outlook.office365.com/.default', L98: }).toString(); ... L105: }); L106: const responseText = await response.text(); L107: if (!response.ok) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/email.provider.jsView on unpkg · L25
25Trigger-reachable chain: manifest.main -> dist/index.js -> dist/email.provider.js L25: // Check for required environment variables L26: if (!process.env.TML_PROVIDER_EMAIL_SERVER_HOST) L27: throw new Error('Missing required environment variable: TML_PROVIDER_EMAIL_SERVER_HOST'); ... L92: return this._refreshToken.token; L93: const requestBody = new URLSearchParams({ L94: client_id: process.env.TML_PROVIDER_EMAIL_AUTH_CLIENT_ID, ... L96: grant_type: 'client_credentials', L97: scope: 'https://outlook.office365.com/.default', L98: }).toString(); ... L105: }); L106: const responseText = await response.text(); L107: if (!response.ok) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/email.provider.jsView on unpkg · L25

Findings

2 Critical4 Medium4 Low
CriticalCredential Exfiltrationdist/email.provider.js
CriticalTrigger Reachable Dangerous Capabilitydist/email.provider.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License