Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
WildcardDependency
Source & flagged code
4 flagged · loading sourcetemplates/nextblock-template/app/api/cron/reset-sandbox/route.tsView file
2612patternName = generic_password
severity = medium
line = 2612
matchedText = password...rd',
Medium
Secret Pattern
Package contains a possible secret pattern.
templates/nextblock-template/app/api/cron/reset-sandbox/route.tsView on unpkg · L2612templates/nextblock-template/app/actions/package-actions.tsView file
14// The key itself determines the environment.
L15: const FM_API_URL = 'https://api.freemius.com/v1';
L16:
...
L40: export async function activatePackage(key: string) {
L41: if (process.env.NEXT_PUBLIC_IS_SANDBOX === 'true') {
L42: return { error: 'License activation is disabled in Sandbox mode. To purchase a real license, visit nextblock.ca' };
...
L80:
L81: const responseData = await response.json();
L82:
...
L146: // 1. Get current activation
L147: const { data: activation, error: fetchError } = await supabase
L148: .from('package_activations')
Low
Weak Crypto
Package source references weak cryptographic algorithms.
templates/nextblock-template/app/actions/package-actions.tsView on unpkg · L14templates/nextblock-template/lib/botProtection/verify.tsView file
36/**
L37: * Verify a submitted FormData against the configured bot protection.
L38: *
...
L80: (provider === 'turnstile'
L81: ? process.env.TURNSTILE_SECRET_KEY
L82: : process.env.RECAPTCHA_SECRET_KEY) ||
...
L94:
L95: const res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
L96: method: 'POST',
...
L100:
L101: const outcome = await res.json();
L102: if (!outcome.success) {
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
templates/nextblock-template/lib/botProtection/verify.tsView on unpkg · L36docker-template/docker/migrate/run-migrations.shView file
•path = docker-template/docker/migrate/run-migrations.sh
kind = build_helper
sizeBytes = 1720
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
docker-template/docker/migrate/run-migrations.shView on unpkgFindings
1 Critical6 Medium5 Low
CriticalCredential Exfiltrationtemplates/nextblock-template/lib/botProtection/verify.ts
MediumSecret Patterntemplates/nextblock-template/app/api/cron/reset-sandbox/route.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdocker-template/docker/migrate/run-migrations.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptotemplates/nextblock-template/app/actions/package-actions.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings