registry  /  amiudmodz  /  6.0.7

amiudmodz@6.0.7

WhatsApp Baileys mod Powered by UDMODZ

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 121 file(s), 1.88 MB of source, external domains: call.whatsapp.com, raw.githubusercontent.com, wa.me, web.whatsapp.com, www.whatsapp.com
Oversized source lightweight scan
WAProto/index.js5.01 MB file, sampled 256 KB
ChildProcess

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.preinstall = node ./engine-requirements.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/WABinary/constants.jsView file
600patternName = google_api_key severity = high line = 600 matchedText = 'AIzaSyD...Lk',
High
High Secret

Package contains a high-severity secret pattern.

lib/WABinary/constants.jsView on unpkg · L600
600patternName = google_api_key severity = high line = 600 matchedText = 'AIzaSyD...Lk',
High
Secret Pattern

Google API key in lib/WABinary/constants.js

lib/WABinary/constants.jsView on unpkg · L600
lib/Utils/messages-media.jsView file
25const [sharp, image, jimp] = await Promise.all([ L26: import(sharpModule).catch(() => { }), L27: import(napiRsImageModule).catch(() => { }),
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/Utils/messages-media.jsView on unpkg · L25
lib/Utils/validate-connection.jsView file
108pull: false, L109: devicePairingData: { L110: buildHash: appVersionBuf, ... L135: const { details, hmac, accountType } = proto.ADVSignedDeviceIdentityHMAC.decode(deviceIdentityNode.content); L136: let hmacPrefix = Buffer.from([]); L137: if (accountType !== undefined && accountType === proto.ADVEncryptionType.HOSTED) { ... L159: ]); L160: account.deviceSignature = Curve.sign(signedIdentityKey.private, deviceMsg); L161: const identity = createSignalIdentity(lid, accountSignatureKey);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/Utils/validate-connection.jsView on unpkg · L108
WAProto/GenerateStatics.shView file
path = WAProto/GenerateStatics.sh kind = build_helper sizeBytes = 305 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

WAProto/GenerateStatics.shView on unpkg
WAProto/index.jsView file
path = WAProto/index.js kind = oversized_source_file sizeBytes = 5256183 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

WAProto/index.jsView on unpkg
lib/WABinary/constants.d.tsView file
20patternName = google_api_key severity = high line = 20 matchedText = export d..."]];
High
Secret Pattern

Google API key in lib/WABinary/constants.d.ts

lib/WABinary/constants.d.tsView on unpkg · L20

Findings

5 High4 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHigh Secretlib/WABinary/constants.js
HighOversized Source FileWAProto/index.js
HighSecret Patternlib/WABinary/constants.js
HighSecret Patternlib/WABinary/constants.d.ts
MediumDynamic Requirelib/Utils/messages-media.js
MediumNetwork
MediumShips Build HelperWAProto/GenerateStatics.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptolib/Utils/validate-connection.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License