registry  /  kordoc  /  3.8.0

kordoc@3.8.0

⚠ Under review

Parse Korean documents (HWP3, HWP, HWPX, HWPML, PDF, XLS, XLSX, DOCX) to Markdown + Print Renderer

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 2.22 MB of source, external domains: github.com, huggingface.co, www.hancom.co.kr, www.idpf.org

Source & flagged code

2 flagged · loading source
dist/watch-GVZESOCE.jsView file
25const log = silent ? () => { L26: } : (msg) => process.stderr.write(msg + "\n"); L27: log(`[kordoc watch] \uAC10\uC2DC \uC2DC\uC791: ${resolve(dir)}`); ... L135: validateWebhookUrl(url); L136: await fetch(url, { L137: method: "POST",
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/watch-GVZESOCE.jsView on unpkg · L25
dist/chunk-SLKF72QF.jsView file
matchType = previous_version_dangerous_delta matchedPackage = kordoc@3.7.0 matchedIdentity = npm:a29yZG9j:3.7.0 similarity = 0.966 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/chunk-SLKF72QF.jsView on unpkg

Findings

1 Critical1 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/chunk-SLKF72QF.js
HighCloud Metadata Accessdist/watch-GVZESOCE.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings