registry  /  iobroker.mywebui  /  1.68.0

iobroker.mywebui@1.68.0

⚠ Under review

ioBroker mywebui - Custom edited mywebui by gokturk413 with 3D Editor

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 851 file(s), 12.5 MB of source, external domains: cdn.jsdelivr.net, developer.mozilla.org, drafts.csswg.org, en.wikipedia.org, github.com, graphics.stanford.edu, gsap.com, jcgt.org, paulbourke.net, raw.githubusercontent.com, registry.khronos.org, threejs.org, www.bobatkins.com, www.ppsloan.org, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node setup-scada-utils.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node setup-scada-utils.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
www/3d-editor/js/libs/acorn/acorn.jsView file
845} L846: return new Function("str", f); L847: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/3d-editor/js/libs/acorn/acorn.jsView on unpkg · L845
dist/backend/ImportmapCreator.jsView file
1(function(_0x37f63b,_0x3e6be2){const _0x4f0213={_0x31d858:0x2e4,_0x59d97f:0x2d3,_0x22db5f:0x37b,_0x7a05:0x30e,_0x12e04a:0x1b9,_0x1ace75:0x28f,_0x2a9a13:0x221,_0x4a6cb6:0x23e,_0x20a...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/backend/ImportmapCreator.jsView on unpkg · L1
dist/backend/LicenseValidator.jsView file
1(function(_0x2d7d20,_0x3b1074){const _0x22fc4a={_0x2e8fd5:0x288,_0x547c59:0x267,_0x42c7c5:0x41a,_0x39f56e:0x3f2,_0x26f0de:0x3ec,_0x30919c:0x476,_0x392a9d:0x408,_0x1ca31d:0x437,_0x2...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/backend/LicenseValidator.jsView on unpkg · L1
default-controls/3dcontrols/test.3dcontrolView file
path = default-controls/3dcontrols/test.3dcontrol kind = high_entropy_blob sizeBytes = 169669 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

default-controls/3dcontrols/test.3dcontrolView on unpkg
path = default-controls/3dcontrols/test.3dcontrol kind = compressed_blob sizeBytes = 169669 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

default-controls/3dcontrols/test.3dcontrolView on unpkg

Findings

4 High7 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/backend/LicenseValidator.js
HighObfuscated
HighShips High Entropy Blobdefault-controls/3dcontrols/test.3dcontrol
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/backend/ImportmapCreator.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobdefault-controls/3dcontrols/test.3dcontrol
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/3d-editor/js/libs/acorn/acorn.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings