registry  /  pxt-core  /  12.3.29

pxt-core@12.3.29

⚠ Under review

Microsoft MakeCode provides Blocks / JavaScript / Python tools and editors

Static Scan Results

scanned 10h ago · by rust-scanner

Static analysis flagged 23 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 155 file(s), 18.2 MB of source, external domains: 127.0.0.1, aka.ms, api.github.com, api.whatsapp.com, arcade.makecode.com, arcade.staging.pxt.io, bit.ly, breeze.aimon.applicationinsights.io, bugzilla.mozilla.org, c2.com, classroom.google.com, code.visualstudio.com, console.developers.google.com, datatracker.ietf.org, dc-int.services.visualstudio.com, dc.services.visualstudio.com, developers.google.com, en.wikipedia.org, example.com, fb.me, forum.makecode.com, github.com, img.youtube.com, makecode.com, meyerweb.com, pxt.io, randomcolour.com, raw.githubusercontent.com, reactjs.org, redux.js.org, registry.npmjs.org, rubygems.org, schemas.microsoft.com, semver.org, staging.pxt.io, static.blockly.com, support.crowdin.com, teams.microsoft.com, twitter.com, vscode.dev, www.apache.org, www.bohemiancoding.com, www.december.com, www.facebook.com, www.googleapis.com, www.makecode.com, www.w3.org, www.youtube-nocookie.com, www.youtube.com, youtu.be
Oversized source lightweight scan
built/pxt.js8.39 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringsProtestwaregithub.commakecode.com
built/tests/blocksrunner.js4.50 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsimg.youtube.comyoutu.be
built/tests/blockssetup.js4.48 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsimg.youtube.comyoutu.be
built/web/main.js4.21 MB file, sampled 256 KB
HighEntropyStringsMinifiedUrlStringsgithub.com
built/web/pxtembed.js3.89 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsMinified
built/web/pxtworker.js2.37 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsMinified
built/web/vs/editor/editor.main.js2.42 MB file, sampled 256 KB
ObfuscatedHighEntropyStringsMinified
pxtcompiler/ext-typescript/lib/typescript.js5.26 MB file, sampled 256 KB
FilesystemChildProcess
webapp/public/vs/language/typescript/tsWorker.js4.19 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsMinifiedUrlStringswww.apache.org

Source & flagged code

11 flagged · loading source
webapp/public/highlight.js/highlight.pack.jsView file
132;const e=this.regexes.map((e=>e[1]));this.matcherRe=t(m(e,{joinWith:"|" L133: }),!0),this.lastIndex=0}exec(e){this.matcherRe.lastIndex=this.lastIndex L134: ;const t=this.matcherRe.exec(e);if(!t)return null
High
Child Process

Package source references child process execution.

webapp/public/highlight.js/highlight.pack.jsView on unpkg · L132
webapp/public/vs/base/worker/workerMain.jsView file
6*-----------------------------------------------------------*/(function(){var z=["require","exports","vs/base/common/platform","vs/editor/common/core/position","vs/base/common/erro... L7: //# sourceURL=`+f;var i=_?self.eval(_.createScript("",g)):new Function(g);i.call(self),S()}).then(void 0,a);return}try{_&&(f=_.createScriptURL(f)),importScripts(f),S()}catch(g){a(g... L8: });`,u}();function o(u,s){if(s.__$__isRecorded)return s;var f=function(a){u.record(33,a);try{return s(a)}finally{u.record(34,a)}};return f.__$__isRecorded=!0,f}I.ensureRecordedNode...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

webapp/public/vs/base/worker/workerMain.jsView on unpkg · L6
6*-----------------------------------------------------------*/(function(){var z=["require","exports","vs/base/common/platform","vs/editor/common/core/position","vs/base/common/erro... L7: //# sourceURL=`+f;var i=_?self.eval(_.createScript("",g)):new Function(g);i.call(self),S()}).then(void 0,a);return}try{_&&(f=_.createScriptURL(f)),importScripts(f),S()}catch(g){a(g... L8: });`,u}();function o(u,s){if(s.__$__isRecorded)return s;var f=function(a){u.record(33,a);try{return s(a)}finally{u.record(34,a)}};return f.__$__isRecorded=!0,f}I.ensureRecordedNode...
Low
Eval

Package source references a known benign dynamic code generation pattern.

webapp/public/vs/base/worker/workerMain.jsView on unpkg · L6
built/web/typescript.jsView file
4this file except in compliance with the License. You may obtain a copy of the L5: License at http://www.apache.org/licenses/LICENSE-2.0 L6: ... L14: ***************************************************************************** */ L15: "use strict";var __assign=this&&this.__assign||Object.assign||function(e){for(var t,n=1,r=arguments.length;n<r;n++)for(var i in t=arguments[n])Object.prototype.hasOwnProperty.call(...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

built/web/typescript.jsView on unpkg · L4
built/nodeutil.jsView file
55function spawnWithPipeAsync(opts) { L56: // https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 L57: if (os.platform() === "win32" && typeof opts.shell === "undefined") ... L65: return new Promise((resolve, reject) => { L66: let ch = child_process.spawn(opts.cmd, opts.args, { L67: cwd: opts.cwd, L68: env: opts.envOverrides ? extendEnv(process.env, opts.envOverrides) : process.env, L69: stdio: opts.pipe ? [opts.input == null ? process.stdin : "pipe", "pipe", process.stderr] : "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

built/nodeutil.jsView on unpkg · L55
4exports.matchesAny = exports.stringify = void 0; L5: const child_process = require("child_process"); L6: const fs = require("fs"); ... L8: const url = require("url"); L9: const http = require("http"); L10: const https = require("https"); ... L15: //This should be correct at startup when running from command line L16: exports.targetDir = process.cwd(); L17: exports.pxtCoreDir = path.join(__dirname, ".."); ... L39: if (typeof c === "string") L40: bufs.push(Buffer.from(c, "utf8")); L41: else
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

built/nodeutil.jsView on unpkg · L4
built/cli.jsView file
14const path = require("path"); L15: const child_process = require("child_process"); L16: const util_1 = require("util"); ... L46: }; L47: let forceCloudBuild = process.env["KS_FORCE_CLOUD"] !== "no"; L48: let forceLocalBuild = !!process.env["PXT_FORCE_LOCAL"]; ... L164: if (!mm) { L165: console.error("Invalid accessToken format, expecting something like 'https://example.com/?access_token=0.abcd.XXXX'"); L166: return; ... L244: data.getkey = true; L245: return Cloud.privatePostAsync("pokerepo", data) L246: .then(resp => {
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

built/cli.jsView on unpkg · L14
built/web/pxtlib.jsView file
1package = pxt-core; repositoryIdentity = pxt; dependency = lzma L1: pxt||(pxt={}),function(e){!function(t){const n={},i={};let s,r=!1;function a(e){Object.keys(e).forEach(t=>{"string"==typeof e[t]?n[t]=e[t]:i[t]=e[t]})}!function(e){e[e.Off=0]="Off"...
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

built/web/pxtlib.jsView on unpkg · L1
webapp/public/blockly/media/drop.mp3View file
path = [redacted].mp3 kind = high_entropy_blob sizeBytes = 5434 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

webapp/public/blockly/media/drop.mp3View on unpkg
built/tests/blockssetup.jsView file
path = built/tests/blockssetup.js kind = payload_in_excluded_dir sizeBytes = 4696572 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

built/tests/blockssetup.jsView on unpkg
webapp/public/vs/language/typescript/tsWorker.jsView file
path = [redacted].js kind = oversized_source_file sizeBytes = 4396591 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

webapp/public/vs/language/typescript/tsWorker.jsView on unpkg

Findings

1 Critical8 High5 Medium9 Low
CriticalNpm Publish Wormbuilt/cli.js
HighChild Processwebapp/public/highlight.js/highlight.pack.js
HighShell
HighSame File Env Network Executionbuilt/nodeutil.js
HighSandbox Evasion Gated Capabilitybuilt/nodeutil.js
HighCopied Package Dependency Bridgebuilt/web/pxtlib.js
HighShips High Entropy Blobwebapp/public/blockly/media/drop.mp3
HighPayload In Excluded Dirbuilt/tests/blockssetup.js
HighOversized Source Filewebapp/public/vs/language/typescript/tsWorker.js
MediumDynamic Requirewebapp/public/vs/base/worker/workerMain.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalwebapp/public/vs/base/worker/workerMain.js
LowWeak Cryptobuilt/web/typescript.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings