Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
14 flagged · loading sourceTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a possible secret pattern.
client/src/translations.jsView on unpkg · L1923Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L3404Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L4880Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L6341Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L7815Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L12253Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L13721Hardcoded password in client/src/translations.js
client/src/translations.jsView on unpkg · L15178Package source references a known benign dynamic code generation pattern.
src/modules/worker-script-runner.jsView on unpkg · L56Package source references dynamic require/import behavior.
src/migrate.jsView on unpkg · L125