Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
4 flagged · loading sourcedist/index.mjsView file
7456patternName = supabase_service_key
severity = critical
line = 7456
matchedText = var supa...tM";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/index.mjsView on unpkg · L74567456patternName = supabase_service_key
severity = critical
line = 7456
matchedText = var supa...tM";
Critical
dist/chunk-NVNLENJ4.mjsView file
9dateToUtcString,
L10: fromBase64,
L11: fromUtf8,
...
L337: var DEFAULT_PROFILE = "default";
L338: var getProfileName = (init) => init.profile || process.env[ENV_PROFILE] || DEFAULT_PROFILE;
L339:
...
L362: if (!homeDirCache[homeDirCacheKey])
L363: homeDirCache[homeDirCacheKey] = homedir();
L364: return homeDirCache[homeDirCacheKey];
...
L686: if (region === "*") {
L687: console.warn(`@smithy/config-resolver WARN - Please use the caller region instead of "*". See "sigv4a" in https://github.com/aws/aws-sdk-js-v3/blob/main/supplemental-docs/CLIENTS.m...
L688: } else {
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/chunk-NVNLENJ4.mjsView on unpkg · L9dist/dist-es-UXGKQHMI.mjsView file
72if (response.statusCode === 200) {
L73: const parsed = JSON.parse(str);
L74: if (typeof parsed.AccessKeyId !== "string" || typeof parsed.SecretAccessKey !== "string" || typeof parsed.Token !== "string" || typeof parsed.Expiration !== "string") {
...
L113: var AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
L114: var DEFAULT_LINK_LOCAL_HOST = "http://169.254.170.2";
L115: var AWS_CONTAINER_CREDENTIALS_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
...
L120: let host;
L121: const relative = options.[redacted] ?? process.env[AWS_CONTAINER_CREDENTIALS_RELATIVE_URI];
L122: const full = options.awsContainerCredentialsFullUri ?? process.env[AWS_CONTAINER_CREDENTIALS_FULL_URI];
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/dist-es-UXGKQHMI.mjsView on unpkg · L72Findings
2 Critical1 High4 Medium6 Low
CriticalCritical Secretdist/index.mjs
CriticalSecret Patterndist/index.mjs
HighCloud Metadata Accessdist/dist-es-UXGKQHMI.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-NVNLENJ4.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings