registry  /  create-nextblock  /  0.11.2

create-nextblock@0.11.2

⚠ Under review

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 464 file(s), 3.67 MB of source, external domains: 127.0.0.1, analytics.google.com, another-domain.xyz, api.freemius.com, api.github.com, api.supabase.com, assets.vercel.com, cdn.nextblock.dev, cdn.nextblock.test, challenges.cloudflare.com, checkout.freemius.com, custom-domain.com, dash.cloudflare.com, dev.to, dummy.supabase.co, evil.example, example.com, github.com, images.unsplash.com, my-custom-origin.dev, new-assets.example.com, nextblock-editor.com, nextblock.ca, nextblock.dev, nextblock.local, nextblock.test, nodejs.org, old-assets.example.com, player.vimeo.com, pub-xxxx.r2.dev, r2.example.test, registry.npmjs.org, schema.org, stats.g.doubleclick.net, supabase.com, ucp.dev, vercel.com, vercel.live, vimeo.com, vitals.vercel-insights.com, www.docker.com, www.gnu.org, www.google-analytics.com, www.google.com, www.googletagmanager.com, www.linkedin.com, www.npmjs.com, www.smtp2go.com, www.w3.org, www.youtube-nocookie.com

Source & flagged code

3 flagged · loading source
templates/nextblock-template/app/api/cron/reset-sandbox/route.tsView file
2612patternName = generic_password severity = medium line = 2612 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

templates/nextblock-template/app/api/cron/reset-sandbox/route.tsView on unpkg · L2612
templates/nextblock-template/app/actions/formActions.tsView file
32prevState: unknown, L33: formData: FormData L34: ): Promise<FormSubmissionResult> { ... L40: const sandboxRecipient = L41: process.env.NEXT_PUBLIC_IS_SANDBOX === 'true' L42: ? process.env.SANDBOX_CONTACT_EMAIL?.trim() || '' ... L92: L93: const res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', { L94: method: 'POST', ... L100: L101: const outcome = await res.json(); L102: if (!outcome.success) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

templates/nextblock-template/app/actions/formActions.tsView on unpkg · L32
docker-template/docker/migrate/run-migrations.shView file
path = docker-template/docker/migrate/run-migrations.sh kind = build_helper sizeBytes = 1720 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

docker-template/docker/migrate/run-migrations.shView on unpkg

Findings

1 Critical6 Medium4 Low
CriticalCredential Exfiltrationtemplates/nextblock-template/app/actions/formActions.ts
MediumSecret Patterntemplates/nextblock-template/app/api/cron/reset-sandbox/route.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdocker-template/docker/migrate/run-migrations.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings