registry  /  @vinzsocket/baileys  /  3.2.11

@vinzsocket/baileys@3.2.11

A WebSockets library for interacting with WhatsApp Web

Static Scan Results

scanned 11h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 103 file(s), 1.78 MB of source, external domains: call.whatsapp.com, raw.githubusercontent.com, wa.me, web.whatsapp.com, www.whatsapp.com
Oversized source lightweight scan
WAProto/index.js4.23 MB file, sampled 256 KB
ChildProcess

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.preinstall = node ./engine-requirements.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/WABinary/constants.jsView file
600patternName = google_api_key severity = high line = 600 matchedText = 'AIzaSyD...Lk',
High
High Secret

Package contains a high-severity secret pattern.

lib/WABinary/constants.jsView on unpkg · L600
600patternName = google_api_key severity = high line = 600 matchedText = 'AIzaSyD...Lk',
High
Secret Pattern

Google API key in lib/WABinary/constants.js

lib/WABinary/constants.jsView on unpkg · L600
engine-requirements.jsView file
2L3: // require(esm) is only stable on Node 20.19.0+ and 22.12.0+ (and any 23.x+). L4: // Below that, `require('@vinzsocket/baileys')` from a CommonJS bot will throw ERR_REQUIRE_ESM.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

engine-requirements.jsView on unpkg · L2
lib/Utils/validate-connection.jsView file
107pull: false, L108: devicePairingData: { L109: buildHash: appVersionBuf, ... L134: const { details, hmac, accountType } = proto.ADVSignedDeviceIdentityHMAC.decode(deviceIdentityNode.content); L135: let hmacPrefix = Buffer.from([]); L136: if (accountType !== undefined && accountType === proto.ADVEncryptionType.HOSTED) { ... L158: ]); L159: account.deviceSignature = Curve.sign(signedIdentityKey.private, deviceMsg); L160: const identity = createSignalIdentity(lid, accountSignatureKey);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/Utils/validate-connection.jsView on unpkg · L107
WAProto/GenerateStatics.shView file
path = WAProto/GenerateStatics.sh kind = build_helper sizeBytes = 302 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

WAProto/GenerateStatics.shView on unpkg
WAProto/index.jsView file
path = WAProto/index.js kind = oversized_source_file sizeBytes = 4435208 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

WAProto/index.jsView on unpkg
lib/WABinary/constants.d.tsView file
20patternName = google_api_key severity = high line = 20 matchedText = export d..."]];
High
Secret Pattern

Google API key in lib/WABinary/constants.d.ts

lib/WABinary/constants.d.tsView on unpkg · L20

Findings

5 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHigh Secretlib/WABinary/constants.js
HighOversized Source FileWAProto/index.js
HighSecret Patternlib/WABinary/constants.js
HighSecret Patternlib/WABinary/constants.d.ts
MediumDynamic Requireengine-requirements.js
MediumNetwork
MediumShips Build HelperWAProto/GenerateStatics.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/Utils/validate-connection.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings