Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/fetcher/browser.jsView file
236*
L237: * data:/blob:/about: 等ネットワークアクセスを伴わないスキーム(インライン画像・CSS等)は許可し、
L238: * file: はローカルファイル読み取り防止のため遮断、http(s)は埋め込みIPが予約アドレスでないか検証する。
...
L266: * fetcher/http.tsのSSRF/スキーム検証(guardPublicAddress)を経由せずpage.goto()していたため、
L267: * `file:///etc/passwd` や `http://169.254.169.254/...` が素通りしていた。
L268: *
...
L272: * - メインフレームのナビゲーション(初回遷移・各リダイレクトホップ): guardPublicAddressで
L273: * 再検証し、private/予約アドレスやhttp(s)以外のスキームは実接続前にabort。型付きエラー
L274: * ([redacted])へ変換してgoto()の失敗を報告する。
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/fetcher/browser.jsView on unpkg · L236dist/cache.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = amenbo@0.1.3
matchedIdentity = npm:YW1lbmJv:0.1.3
similarity = 0.385
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cache.jsView on unpkgFindings
2 High3 Medium4 Low
HighCloud Metadata Accessdist/fetcher/browser.js
HighPrevious Version Dangerous Deltadist/cache.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings