registry  /  @wrongstack/webui  /  0.281.0

@wrongstack/webui@0.281.0

⚠ Under review

Browser-based WebUI for WrongStack — React + Vite frontend with WebSocket backend that drives the same agent kernel as the CLI/TUI.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 85 file(s), 7.12 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.minimax.io, bugzilla.mozilla.org, cdn.jsdelivr.net, code.google.com, console.anthropic.com, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, mcp.context7.com, mcp.example.com, mcp.sentinel.ai, openrouter.ai, platform.deepseek.com, platform.minimax.io, platform.openai.com, r12a.github.io, raw.githubusercontent.com, react.dev, reactflow.dev, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.kimi.com, www.w3.org, www.whatwg.org
Oversized source lightweight scan
dist/assets/monaco-DqY9Mr3N.js4.00 MB file, sampled 256 KB
ChildProcessHighEntropyStringsMinifiedUrlStringscdn.jsdelivr.netgithub.com
dist/assets/ts.worker-CDlTriQ3.js6.58 MB file, sampled 256 KB
FilesystemNetworkChildProcess
dist/index.js2.34 MB file, sampled 256 KB
HighEntropyStringsUrlStringsgithub.com

Source & flagged code

4 flagged · loading source
dist/server/handlers.jsView file
63package = @wrongstack/webui; repositoryIdentity = wrongstack; dependency = @wrongstack/core L63: try { L64: const { loadTasks } = await import("@wrongstack/core"); L65: const file = await loadTasks(taskPath);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/server/handlers.jsView on unpkg · L63
dist/assets/html.worker-BO6WuOEO.jsView file
29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/assets/html.worker-BO6WuOEO.jsView on unpkg · L29
dist/assets/ibm-plex-mono-latin-ext-500-normal-CZ70TYgx.woffView file
path = dist/assets/ibm-plex-mono-latin-ext-500-normal-CZ70TYgx.woff kind = high_entropy_blob sizeBytes = 11768 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/ibm-plex-mono-latin-ext-500-normal-CZ70TYgx.woffView on unpkg
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 2452079 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalTrojan Source Unicodedist/assets/html.worker-BO6WuOEO.js
HighCopied Package Dependency Bridgedist/server/handlers.js
HighShips High Entropy Blobdist/assets/ibm-plex-mono-latin-ext-500-normal-CZ70TYgx.woff
HighOversized Source Filedist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings