registry  /  iobroker.mywebui  /  1.85.0

iobroker.mywebui@1.85.0

⚠ Under review

ioBroker mywebui - Custom edited mywebui by gokturk413 with 3D Editor

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 852 file(s), 12.5 MB of source, external domains: cdn.jsdelivr.net, developer.mozilla.org, drafts.csswg.org, en.wikipedia.org, github.com, graphics.stanford.edu, gsap.com, jcgt.org, paulbourke.net, raw.githubusercontent.com, registry.khronos.org, threejs.org, www.bobatkins.com, www.ppsloan.org, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node setup-scada-utils.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node setup-scada-utils.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
www/3d-editor/js/libs/acorn/acorn.jsView file
845} L846: return new Function("str", f); L847: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/3d-editor/js/libs/acorn/acorn.jsView on unpkg · L845
dist/backend/ImportmapCreator.jsView file
1(function(_0x3a2e08,_0x49c743){const _0x3a195a={_0x5ea260:0x80,_0x113cf9:0xc3,_0x568cf8:0x172,_0x5d7cf9:0x197,_0x1f66dc:0x170,_0x1fb2d5:0xda,_0x3b86af:0x103,_0x5a04be:0x4d,_0x3ca52...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/backend/ImportmapCreator.jsView on unpkg · L1
dist/backend/LicenseValidator.jsView file
1(function(_0x2d7d20,_0x3b1074){const _0x22fc4a={_0x2e8fd5:0x288,_0x547c59:0x267,_0x42c7c5:0x41a,_0x39f56e:0x3f2,_0x26f0de:0x3ec,_0x30919c:0x476,_0x392a9d:0x408,_0x1ca31d:0x437,_0x2...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/backend/LicenseValidator.jsView on unpkg · L1
scripts/_build_lineargauge.pyView file
path = scripts/_build_lineargauge.py kind = build_helper sizeBytes = 7150 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/_build_lineargauge.pyView on unpkg
default-controls/3dcontrols/test.3dcontrolView file
path = default-controls/3dcontrols/test.3dcontrol kind = high_entropy_blob sizeBytes = 169669 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

default-controls/3dcontrols/test.3dcontrolView on unpkg
path = default-controls/3dcontrols/test.3dcontrol kind = compressed_blob sizeBytes = 169669 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

default-controls/3dcontrols/test.3dcontrolView on unpkg

Findings

4 High8 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/backend/LicenseValidator.js
HighObfuscated
HighShips High Entropy Blobdefault-controls/3dcontrols/test.3dcontrol
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/backend/ImportmapCreator.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperscripts/_build_lineargauge.py
MediumShips Compressed Blobdefault-controls/3dcontrols/test.3dcontrol
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/3d-editor/js/libs/acorn/acorn.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings