registry  /  cloud-web-corejs  /  1.0.252

cloud-web-corejs@1.0.252

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 261 file(s), 3.75 MB of source, external domains: cainiao-oss-sh-read.oss-cn-shanghai.aliyuncs.com, cdn.bootcss.com, cdn.staticfile.org, cloudprint.cainiao.com, file-link.pinduoduo.com, github.com, hiprint.io, ks3-cn-beijing.ksyun.com, ks3-cn-beijing.ksyuncs.com, lf26-cdn-tos.bytecdntp.com, map.baidu.com, meta.pinduoduo.com, obs.cn-south-1.myhuaweicloud.com, portrait.gitee.com, prod-oms-app-cprt.jdwl.com, vos.vipstatic.com, www.vform666.com, www.w3.org, xhswaybill-printer-1251524319.cos.ap-shanghai.myqcloud.com

Source & flagged code

5 flagged · loading source
src/components/xform/utils/sfc-generator.jsView file
125patternName = generic_password severity = medium line = 125 matchedText = showPass... '',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/components/xform/utils/sfc-generator.jsView on unpkg · L125
src/components/hiprint/hiprint.bundle.jsView file
1296var s = "formatter=" + this.options.formatter; L1297: eval(s); L1298: } catch (t) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296
src/mixins/mobile/wf/index.jsView file
5getWfObj(path) { L6: return require(`../../../components/mobile/wf${path}`).default; L7: },
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/mixins/mobile/wf/index.jsView on unpkg · L5
src/components/excelImport/mixins.jsView file
16}; L17: function _0x47a6(_0x1e39ba,_0xe90b39){const _0x13ce7f=_0xe90b();_0x47a6=function(_0x4106a1,_0x47a825){_0x4106a1=_0x4106a1-0x0;let _0x44fded=_0x13ce7f[_0x4106a1];if(_0x47a6["\u006f\... L18: export const mixins = tmixins;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

src/components/excelImport/mixins.jsView on unpkg · L16
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView file
path = [redacted]-halflings-regular.woff kind = high_entropy_blob sizeBytes = 23424 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg

Findings

3 High5 Medium5 Low
HighObfuscated Payload Loadersrc/components/excelImport/mixins.js
HighObfuscated
HighShips High Entropy Blobsrc/components/hiprint/fonts/glyphicons-halflings-regular.woff
MediumSecret Patternsrc/components/xform/utils/sfc-generator.js
MediumDynamic Requiresrc/mixins/mobile/wf/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/components/hiprint/hiprint.bundle.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License