registry  /  create-nextblock  /  0.12.13

create-nextblock@0.12.13

⚠ Under review

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 473 file(s), 3.92 MB of source, external domains: 127.0.0.1, analytics.google.com, another-domain.xyz, api.freemius.com, api.github.com, api.supabase.com, assets.vercel.com, cdn.example.com, cdn.nextblock.dev, cdn.nextblock.test, challenges.cloudflare.com, checkout.freemius.com, cms.nextblock.dev, custom-domain.com, dash.cloudflare.com, dev.to, developers.cloudflare.com, dummy.supabase.co, evil.example, example.com, github.com, images.unsplash.com, my-custom-origin.dev, new-assets.example.com, nextblock-editor.com, nextblock.ca, nextblock.dev, nextblock.local, nextblock.test, nodejs.org, old-assets.example.com, other.com, player.vimeo.com, pub-xxxx.r2.dev, r2.example.test, registry.npmjs.org, schema.org, stats.g.doubleclick.net, supabase.com, ucp.dev, vercel.com, vercel.live, vimeo.com, vitals.vercel-insights.com, www.docker.com, www.gnu.org, www.google-analytics.com, www.google.com, www.googletagmanager.com, www.gstatic.com

Source & flagged code

4 flagged · loading source
templates/nextblock-template/app/api/cron/reset-sandbox/route.tsView file
2612patternName = generic_password severity = medium line = 2612 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

templates/nextblock-template/app/api/cron/reset-sandbox/route.tsView on unpkg · L2612
templates/nextblock-template/app/actions/package-actions.tsView file
14// The key itself determines the environment. L15: const FM_API_URL = 'https://api.freemius.com/v1'; L16: ... L40: export async function activatePackage(key: string) { L41: if (process.env.NEXT_PUBLIC_IS_SANDBOX === 'true') { L42: return { error: 'License activation is disabled in Sandbox mode. To purchase a real license, visit nextblock.ca' }; ... L80: L81: const responseData = await response.json(); L82: ... L146: // 1. Get current activation L147: const { data: activation, error: fetchError } = await supabase L148: .from('package_activations')
Low
Weak Crypto

Package source references weak cryptographic algorithms.

templates/nextblock-template/app/actions/package-actions.tsView on unpkg · L14
templates/nextblock-template/lib/botProtection/verify.tsView file
36/** L37: * Verify a submitted FormData against the configured bot protection. L38: * ... L80: (provider === 'turnstile' L81: ? process.env.TURNSTILE_SECRET_KEY L82: : process.env.RECAPTCHA_SECRET_KEY) || ... L94: L95: const res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', { L96: method: 'POST', ... L100: L101: const outcome = await res.json(); L102: if (!outcome.success) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

templates/nextblock-template/lib/botProtection/verify.tsView on unpkg · L36
docker-template/docker/migrate/run-migrations.shView file
path = docker-template/docker/migrate/run-migrations.sh kind = build_helper sizeBytes = 1720 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

docker-template/docker/migrate/run-migrations.shView on unpkg

Findings

1 Critical6 Medium5 Low
CriticalCredential Exfiltrationtemplates/nextblock-template/lib/botProtection/verify.ts
MediumSecret Patterntemplates/nextblock-template/app/api/cron/reset-sandbox/route.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdocker-template/docker/migrate/run-migrations.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptotemplates/nextblock-template/app/actions/package-actions.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings