registry  /  iobroker.mywebui  /  1.99.1

iobroker.mywebui@1.99.1

⚠ Under review

ioBroker mywebui - Custom edited mywebui by gokturk413 with 3D Editor

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 862 file(s), 12.9 MB of source, external domains: cdn.jsdelivr.net, developer.mozilla.org, drafts.csswg.org, en.wikipedia.org, github.com, graphics.stanford.edu, gsap.com, jcgt.org, paulbourke.net, raw.githubusercontent.com, registry.khronos.org, threejs.org, www.bobatkins.com, www.ppsloan.org, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node setup-scada-utils.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node setup-scada-utils.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
www/3d-editor/js/libs/acorn/acorn.jsView file
845} L846: return new Function("str", f); L847: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/3d-editor/js/libs/acorn/acorn.jsView on unpkg · L845
dist/backend/ImportmapCreator.jsView file
1function _0x29a8f6(_0x3f2461,_0xa7ea19,_0x10c4da,_0x587736){return _0x9c4c(_0xa7ea19- -0x392,_0x587736);}(function(_0x5825b6,_0x3ee4a1){const _0x5f18da={_0x5238ae:0x2d7,_0x1cde7b:0...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/backend/ImportmapCreator.jsView on unpkg · L1
dist/backend/LicenseValidator.jsView file
1function _0x4fd2(_0x590f67,_0x54cf91){_0x590f67=_0x590f67-(-0x159c+-0x2*0xd86+0x3180);const _0x226660=_0x8bf5();let _0x55565a=_0x226660[_0x590f67];if(_0x4fd2['QvCiPv']===undefined)...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/backend/LicenseValidator.jsView on unpkg · L1
scripts/_theme_nav_level.pyView file
path = scripts/_theme_nav_level.py kind = build_helper sizeBytes = 2871 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/_theme_nav_level.pyView on unpkg
default-controls/3dcontrols/test.3dcontrolView file
path = default-controls/3dcontrols/test.3dcontrol kind = high_entropy_blob sizeBytes = 169669 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

default-controls/3dcontrols/test.3dcontrolView on unpkg
path = default-controls/3dcontrols/test.3dcontrol kind = compressed_blob sizeBytes = 169669 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

default-controls/3dcontrols/test.3dcontrolView on unpkg

Findings

4 High8 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/backend/LicenseValidator.js
HighObfuscated
HighShips High Entropy Blobdefault-controls/3dcontrols/test.3dcontrol
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/backend/ImportmapCreator.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperscripts/_theme_nav_level.py
MediumShips Compressed Blobdefault-controls/3dcontrols/test.3dcontrol
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/3d-editor/js/libs/acorn/acorn.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings