registry  /  orbitchat  /  3.11.0

orbitchat@3.11.0

A standalone chat application for ORBIT that can be installed as an npm package and run as a CLI tool. All API communication is routed through a built-in Express proxy that maps adapter names to backend API keys, so **no secrets ever reach the browser**.

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 71 file(s), 6.14 MB of source, external domains: 169.254.169.254, 99.79.50.155, auth0.com, bit.ly, chevrotain.io, en.wikipedia.org, github.com, jquery.org, langium.org, lodash.com, login.microsoftonline.com, openjsf.org, paulrosen.github.io, react.dev, redux-toolkit.js.org, redux.js.org, schemas.microsoft.com, schemas.openxmlformats.org, stuk.github.io, tldrlegal.com, underscorejs.org, www.w3.org

Source & flagged code

9 flagged · loading source
dist/assets/vendor-auth-BWxE55Ta.jsView file
3patternName = private_key_rsa severity = critical line = 3 matchedText = `,10)+1,...or(`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/assets/vendor-auth-BWxE55Ta.jsView on unpkg · L3
3patternName = private_key_rsa severity = critical line = 3 matchedText = `,10)+1,...or(`
Critical
Secret Pattern

RSA private key in dist/assets/vendor-auth-BWxE55Ta.js

dist/assets/vendor-auth-BWxE55Ta.jsView on unpkg · L3
1import{r as L,R as Sl}from"./vendor-markdown-BRX1CUPf.js";var gs=function(r,e){return gs=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(t,n){t.__proto__=n}||functi... L2: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)})()}function op(r){return function(){return new Sr(r.apply(this,arguments))}}function Sr(r){var... L3: `,10)+1,s=o.substring(i)+(n?"//# sourceMappingURL="+n:""),a=new Blob([s],{type:"application/javascript"});return URL.createObjectURL(a)}var zc,Wc,Jc,Li,Up=(zc="Lyogcm9sbHVwLXBsdWdp... L4: auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information. L5: `)})(),this.lockManager=(Ui||(Ui=up()),Ui),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ig...
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/assets/vendor-auth-BWxE55Ta.jsView on unpkg · L1
dist/assets/docx-preview-CMb3nQfR.jsView file
11*/var qt;function we(){return qt||(qt=1,(function(c,e){(function(t){c.exports=t()})(function(){return(function t(r,n,a){function o(y,w){if(!n[y]){if(!r[y]){var _=typeof Mt=="functi... L12: \0`,q+=a(R,2),q+=D.magic,q+=a(x,2),q+=a(A,2),q+=a(tt.crc32,4),q+=a(tt.compressedSize,4),q+=a(tt.uncompressedSize,4),q+=a(W.length,2),q+=a(L.length,2),{fileRecord:_.LOCAL_FILE_HEADE... L13: * @license
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/docx-preview-CMb3nQfR.jsView on unpkg · L11
dist/assets/vendor-syntax-DG6Vo7Ci.jsView file
12* @public L13: */var r=(function(a){var n=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,i=0,o={},s={manual:a.Prism&&a.Prism.manual,disableWorkerMessageHandler:a.Prism&&a.Prism.disableWorkerMessageHan... L14: ?|
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/vendor-syntax-DG6Vo7Ci.jsView on unpkg · L12
bin/orbitchat.jsView file
12Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L12: import path from 'path'; L13: import { execFileSync } from 'child_process'; L14: import { fileURLToPath } from 'url'; L15: import { dirname } from 'path'; L16: import { createProxyMiddleware } from 'http-proxy-middleware'; L17: import yaml from 'js-yaml'; ... L20: const __filename = fileURLToPath(import.meta.url); L21: const __dirname = dirname(__filename); L22: ... L24: try { L25: const pkgPath = path.join(__dirname, '..', 'package.json'); L26: const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/orbitchat.jsView on unpkg · L12
orbitchat.shView file
path = orbitchat.sh kind = build_helper sizeBytes = 11860 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

orbitchat.shView on unpkg
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

2 Critical4 High6 Medium9 Low
CriticalCritical Secretdist/assets/vendor-auth-BWxE55Ta.js
CriticalSecret Patterndist/assets/vendor-auth-BWxE55Ta.js
HighEntrypoint Build Divergencebin/orbitchat.js
HighCloud Metadata Accessdist/assets/vendor-auth-BWxE55Ta.js
HighShips High Entropy Blobdist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requiredist/assets/vendor-syntax-DG6Vo7Ci.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperorbitchat.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/docx-preview-CMb3nQfR.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License