registry  /  arn-browser  /  0.1.55

arn-browser@0.1.55

A lightweight, browser autmation helper.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 259 KB of source, external domains: 127.0.0.1, api.ip2location.io, api.multilogin.com, brave.com, doublelist.com, github.com, httpbin.org, ip-api.com, launcher.mlx.yt, profile-proxy.multilogin.com, www.chromium.org, www.google.com, www.mozilla.org

Source & flagged code

2 flagged · loading source
src/utility/mlx_token.jsView file
8* Always reads fresh from DB (no in-memory cache) to support multiple processes. L9: * @returns {Promise<{id: string, email: string, password: string, workspace_id: string, data: object}>} L10: */ ... L36: const [, payloadB64] = token.split("."); L37: const payload = JSON.parse(Buffer.from(payloadB64, "base64").toString()); L38: return payload.exp * 1000 < Date.now() + 5 * 60 * 1000; ... L50: L51: const res = await fetch("https://api.multilogin.com/user/signin", { L52: method: "POST",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/utility/mlx_token.jsView on unpkg · L8
src/utility/puppeteer/findBrowserPath.jsView file
7L8: import { execSync } from "child_process"; L9: import fs from "fs"; ... L28: win32: [ L29: path.join(process.env.PROGRAMFILES || "C:\\Program Files", "Google", "Chrome", "Application", "chrome.exe"), L30: path.join(process.env["PROGRAMFILES(X86)"] || "C:\\Program Files (x86)", "Google", "Chrome", "Application", "chrome.exe"), ... L96: chrome: { L97: linux: "sudo apt install google-chrome-stable OR download from https://www.google.com/chrome/", L98: darwin: "Download from https://www.google.com/chrome/", ... L126: function resolveFromPath(command) { L127: const isWindows = process.platform === "win32"; L128: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/utility/puppeteer/findBrowserPath.jsView on unpkg · L7

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/utility/puppeteer/findBrowserPath.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/utility/mlx_token.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings