Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
9 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L3RSA private key in dist/assets/vendor-auth-aD_bwYde.js
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L3Source reaches cloud instance metadata or link-local credential endpoints.
dist/assets/vendor-auth-aD_bwYde.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/assets/docx-preview-DehBmhog.jsView on unpkg · L11Package source references dynamic require/import behavior.
dist/assets/vendor-syntax-INF7-xC_.jsView on unpkg · L12Manifest entrypoint contains risky behavior absent from dist/build output.
bin/orbitchat.jsView on unpkg · L12Package ships non-JavaScript build or shell helper files.
orbitchat.shView on unpkgPackage ships high-entropy non-source blobs.
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkg