registry  /  mppx  /  0.8.3

mppx@0.8.3

⚠ Under review

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 490 file(s), 5.72 MB of source, external domains: 127.0.0.1, 4byte.sourcify.dev, abitype.dev, api.anthropic.com, api.example.com, api.openai.com, api.pay.example.com, api.stripe.com, app.example.com, context7.com, cross-origin.com, cross-origin.example.com, dashboard.stripe.com, docs.anthropic.com, docs.fal.ai, docs.soliditylang.org, docs.stripe.com, env.example.com, example.com, example.test, explicit.example.com, explore.devnet.tempo.xyz, explore.tempo.xyz, explore.testnet.tempo.xyz, facilitator.example, fal.mpp.dev, fee-payer.example.com, first.example, freebie.example, gateway.example.com, host-a.example.com, host-b.example.com, js.stripe.com, mainnet.infura.io, mpp.dev, mpp.tempo.xyz, mppx.example.com, mppx.invalid, news.example.com, notexample.com, other.example.com, oxlib.sh, pay.example.com, paymentauth.org, payments.example.com, platform.openai.com, rpc.devnet.tempoxyz.dev, rpc.example.com, rpc.moderato.tempo.xyz, rpc.tempo.xyz

Source & flagged code

3 flagged · loading source
dist/cli/internal.jsView file
52return undefined; L53: const mod = await import(configPath); L54: return { config: (mod.default ?? mod), path: configPath };
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/internal.jsView on unpkg · L52
dist/tempo/server/internal/html.gen.jsView file
1// Generated — do not edit. L2: export const html = "<script>(function(){var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object... L3: //# sourceMappingURL=html.gen.js.map
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/tempo/server/internal/html.gen.jsView on unpkg · L1
1Trigger-reachable chain: manifest.exports -> dist/server/index.js -> dist/server/Methods.js -> dist/tempo/server/index.js -> dist/tempo/server/Charge.js -> dist/tempo/server/internal/html.gen.js L1: // Generated — do not edit. L2: export const html = "<script>(function(){var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object... L3: //# sourceMappingURL=html.gen.js.map
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/tempo/server/internal/html.gen.jsView on unpkg · L1

Findings

2 Critical5 Medium3 Low
CriticalCredential Exfiltrationdist/tempo/server/internal/html.gen.js
CriticalTrigger Reachable Dangerous Capabilitydist/tempo/server/internal/html.gen.js
MediumDynamic Requiredist/cli/internal.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings