Static Scan Results
scanned 9d ago · by rust-scannerStatic analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
9 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/assets/vendor-auth-BWxE55Ta.jsView on unpkg · L3RSA private key in dist/assets/vendor-auth-BWxE55Ta.js
dist/assets/vendor-auth-BWxE55Ta.jsView on unpkg · L3Source reaches cloud instance metadata or link-local credential endpoints.
dist/assets/vendor-auth-BWxE55Ta.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/assets/docx-preview-CMb3nQfR.jsView on unpkg · L11Package source references dynamic require/import behavior.
dist/assets/vendor-syntax-DG6Vo7Ci.jsView on unpkg · L12Manifest entrypoint contains risky behavior absent from dist/build output.
bin/orbitchat.jsView on unpkg · L12Package ships non-JavaScript build or shell helper files.
orbitchat.shView on unpkgPackage ships high-entropy non-source blobs.
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkg