registry  /  asepxyz  /  1.0.1

asepxyz@1.0.1

A WebSockets library for interacting with WhatsApp Web (fork of levvleys/Baileys)

Static Scan Results

scanned 11h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependency
scanned 126 file(s), 5.77 MB of source, external domains: call.whatsapp.com, mmg.whatsapp.net, raw.githubusercontent.com, web.whatsapp.com, www.whatsapp.com
Oversized source lightweight scan
WAProto/E2E/E2E.js3.81 MB file, sampled 256 KB
ChildProcess
WAProto/HistorySync/HistorySync.js4.65 MB file, sampled 256 KB
ChildProcess
WAProto/MdStorageMsgRowOpaqueData/MdStorageMsgRowOpaqueData.js3.93 MB file, sampled 256 KB
ChildProcess
WAProto/Web/Web.js4.35 MB file, sampled 256 KB
ChildProcess

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.preinstall = node ./engine-requirements.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/WABinary/constants.jsView file
602patternName = google_api_key severity = high line = 602 matchedText = "AIzaSyD...Lk",
High
High Secret

Package contains a high-severity secret pattern.

lib/WABinary/constants.jsView on unpkg · L602
602patternName = google_api_key severity = high line = 602 matchedText = "AIzaSyD...Lk",
High
Secret Pattern

Google API key in lib/WABinary/constants.js

lib/WABinary/constants.jsView on unpkg · L602
lib/Utils/messages-media.jsView file
200try { L201: const { default: decoder } = await eval("import('audio-decode')"); L202: let audioData;
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/Utils/messages-media.jsView on unpkg · L200
lib/Utils/crypto.jsView file
4createCipheriv: createCipheriv, L5: createDecipheriv: createDecipheriv, L6: createHash: createHash, ... L17: return { L18: private: Buffer.from(privKey), L19: public: Buffer.from(pubKey.slice(1)),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/Utils/crypto.jsView on unpkg · L4
WAProto/HistorySync/HistorySync.jsView file
path = WAProto/HistorySync/HistorySync.js kind = oversized_source_file sizeBytes = 4879942 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

WAProto/HistorySync/HistorySync.jsView on unpkg

Findings

4 High3 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHigh Secretlib/WABinary/constants.js
HighOversized Source FileWAProto/HistorySync/HistorySync.js
HighSecret Patternlib/WABinary/constants.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumGit Dependency
LowScripts Present
LowEvallib/Utils/messages-media.js
LowWeak Cryptolib/Utils/crypto.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings