registry  /  @webitel/ui-sdk  /  26.6.72

@webitel/ui-sdk@26.6.72

Main lib

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 475 file(s), 4.94 MB of source, external domains: cdn.jsdelivr.net, dev.webitel.com, docs.webitel.com, example.com, f.vimeocdn.com, fresnel.vimeocdn.com, github.com, googleads.g.doubleclick.net, i.vimeocdn.com, i.ytimg.com, player.vimeo.com, static.doubleclick.net, vimeo.com, vue-i18n.intlify.dev, www.google.com, www.gstatic.com, www.w3.org, www.youtube-nocookie.com, www.youtube.com
Oversized source lightweight scan
dist/ui-sdk.umd.cjs4.09 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsgithub.comwww.w3.org

Source & flagged code

7 flagged · loading source
src/locale/vi/vi.jsView file
143patternName = generic_password severity = medium line = 143 matchedText = password...ẩu',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/locale/vi/vi.jsView on unpkg · L143
src/modules/Notifications/assets/audio/new-chat.wavView file
path = [redacted]-chat.wav kind = high_entropy_blob sizeBytes = 154396 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/modules/Notifications/assets/audio/new-chat.wavView on unpkg
dist/ui-sdk.umd.cjsView file
path = dist/ui-sdk.umd.cjs kind = oversized_source_file sizeBytes = 4287474 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ui-sdk.umd.cjsView on unpkg
package.jsonView file
Remote tarball dependency specs: xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
Medium
Remote Tarball Dependency

Package manifest contains a dependency pinned to a remote tarball URL.

package.jsonView on unpkg
src/locale/kz/kz.jsView file
143patternName = generic_password severity = medium line = 143 matchedText = password...өз',
Medium
Secret Pattern

Hardcoded password in src/locale/kz/kz.js

src/locale/kz/kz.jsView on unpkg · L143
src/locale/es/es.jsView file
141patternName = generic_password severity = medium line = 141 matchedText = password...ña',
Medium
Secret Pattern

Hardcoded password in src/locale/es/es.js

src/locale/es/es.jsView on unpkg · L141
src/locale/en/en.jsView file
146patternName = generic_password severity = medium line = 146 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in src/locale/en/en.js

src/locale/en/en.jsView on unpkg · L146

Findings

2 High7 Medium5 Low
HighShips High Entropy Blobsrc/modules/Notifications/assets/audio/new-chat.wav
HighOversized Source Filedist/ui-sdk.umd.cjs
MediumSecret Patternsrc/locale/vi/vi.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumRemote Tarball Dependencypackage.json
MediumSecret Patternsrc/locale/kz/kz.js
MediumSecret Patternsrc/locale/es/es.js
MediumSecret Patternsrc/locale/en/en.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License