registry  /  rsshub  /  1.0.0-master.a1c7cea

rsshub@1.0.0-master.a1c7cea

Make RSS Great Again!

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
CopyleftLicense
scanned 3,601 file(s), 10.4 MB of source, external domains: 005.tv, 0x80.pl, 0xxx.ws, 1.1.1.1, 119.29.146.143, 127.0.0.1, 141jav.com, 141ppv.com, 18comic.org, 1x.com, 2048.info, 210.26.0.114, 2yuan.xjtu.edu.cn, 360zy.com, 3g.163.com, 3g.dxy.cn, 4a735ea38f8146198dc205d2e2d1bd28.z3c.jin10.com, 4kup.net, 500px.com.cn, 54youth.nwsuaf.edu.cn, 58.213.82.179, 60s.aa1.cn, 6api.ycwb.com, 7mmtv.sx, 81rc.81.cn, 82.157.138.16, 95.216.22.207, 9oyi4rk426.execute-api.ca-central-1.amazonaws.com, 9to5google.com, 9to5mac.com, 9to5toys.com, a.4cdn.org, a.ajmide.com, aa.nycu.edu.tw, aamacau.com, aao.nuaa.edu.cn, abc.net.au, about.netflix.com, about.voronoiapp.com, abs.twimg.com, ac.qq.com, academia.edu, academic.oup.com, accounts.spotify.com, acg.gamer.com.tw, acg17.com, acm.ecnu.edu.cn, adam-weekly-api-server-prod-ufaummkd5q-de.a.run.app, addons.mozilla.org, adma.ustb.edu.cn
Oversized source lightweight scan
dist-lib/routes-CfxguuMe.mjs3.94 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStrings81rc.81.cncastbox.fmconsole.cloud.google.comconsole.developers.google.comdocs.rsshub.appdt.yicai.comdy.163.comgithub.comm.weibo.cnminiflux.appmp.weixin.qq.comn.ifun.coolnews-at.zhihu.comphotos.app.goo.glreader.miniflux.apprent.591.com.twrsshub.appscholar.google.comsearch.careerengine.ust1.daumcdn.netweb.devwechat2rss.xlab.appweibo.comwww.economist.com
dist-lib/routes-VmHco7BR.mjs3.91 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStrings81rc.81.cncastbox.fmconsole.cloud.google.comconsole.developers.google.comdocs.rsshub.appdy.163.comgithub.comminiflux.appn.ifun.coolnews-at.zhihu.comphotos.app.goo.glreader.miniflux.apprent.591.com.twrsshub.appscholar.google.comt1.daumcdn.netwww.economist.comwww.google.comwww.jl1mall.comwww.jll.comwww.joneslanglasalle.com.cnwww.youtube.comwww.zaobao.com

Source & flagged code

12 flagged · loading source
dist-lib/prime-community-BHqvwYnb.mjsView file
26patternName = supabase_service_key severity = critical line = 26 matchedText = const TO...ZA";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-lib/prime-community-BHqvwYnb.mjsView on unpkg · L26
26patternName = supabase_service_key severity = critical line = 26 matchedText = const TO...ZA";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/prime-community-BHqvwYnb.mjs

dist-lib/prime-community-BHqvwYnb.mjsView on unpkg · L26
dist-lib/common-config-Ay0tzsG5.mjsView file
11const timezone$1 = timezone; L12: if (regex.test(result)) result = eval(result); L13: return result;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist-lib/common-config-Ay0tzsG5.mjsView on unpkg · L11
dist-lib/registry-dev-DSw76Ts0.mjsView file
37const relativeModulePath = filePath.slice(targetDirectoryPath.length); L38: modules[relativeModulePath] = await import(pathToFileURL(filePath).href); L39: }));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-lib/registry-dev-DSw76Ts0.mjsView on unpkg · L37
dist-lib/feed-CITSq9U9.mjsView file
22}; L23: const rootUrl = "https://locals.com"; L24: const route = { ... L203: const response = await rofetch.raw(`${rootUrl}/_server`, { L204: body: createRequestBody(args), L205: headers: {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist-lib/feed-CITSq9U9.mjsView on unpkg · L22
dist-lib/channel-iqYHBelr.mjsView file
67name: "Channels", L68: description: `Get the channel from the Castbox channel URL. For example, the URL of the channel "Lemonade Stand" is \`https://castbox.fm/channel/Lemonade-Stand-id6776228\`, where \... L69:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-lib/channel-iqYHBelr.mjsView on unpkg · L67
dist-lib/routes-VmHco7BR.mjsView file
path = dist-lib/routes-VmHco7BR.mjs kind = oversized_source_file sizeBytes = 4094988 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-lib/routes-VmHco7BR.mjsView on unpkg
dist-lib/utils-BiyO2GgI.mjsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pw...75";
Medium
Secret Pattern

Hardcoded password in dist-lib/utils-BiyO2GgI.mjs

dist-lib/utils-BiyO2GgI.mjsView on unpkg · L3
dist-lib/charts-jfXAgc1B.mjsView file
92patternName = google_api_key severity = high line = 92 matchedText = key: "AI..._dM"
High
Secret Pattern

Google API key in dist-lib/charts-jfXAgc1B.mjs

dist-lib/charts-jfXAgc1B.mjsView on unpkg · L92
dist-lib/pickup-DRqJUeer.mjsView file
13patternName = supabase_service_key severity = critical line = 13 matchedText = const re...K0";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/pickup-DRqJUeer.mjs

dist-lib/pickup-DRqJUeer.mjsView on unpkg · L13
dist-lib/utils-BAW12ZBp.mjsView file
39patternName = generic_password severity = medium line = 39 matchedText = return m...ce);
Medium
Secret Pattern

Hardcoded password in dist-lib/utils-BAW12ZBp.mjs

dist-lib/utils-BAW12ZBp.mjsView on unpkg · L39
dist-lib/latest-BD9PC1yg.mjsView file
10patternName = private_key_rsa severity = critical line = 10 matchedText = const rs...--";
Critical
Secret Pattern

RSA private key in dist-lib/latest-BD9PC1yg.mjs

dist-lib/latest-BD9PC1yg.mjsView on unpkg · L10

Findings

4 Critical2 High7 Medium8 Low
CriticalCritical Secretdist-lib/prime-community-BHqvwYnb.mjs
CriticalSecret Patterndist-lib/prime-community-BHqvwYnb.mjs
CriticalSecret Patterndist-lib/pickup-DRqJUeer.mjs
CriticalSecret Patterndist-lib/latest-BD9PC1yg.mjs
HighOversized Source Filedist-lib/routes-VmHco7BR.mjs
HighSecret Patterndist-lib/charts-jfXAgc1B.mjs
MediumDynamic Requiredist-lib/registry-dev-DSw76Ts0.mjs
MediumUnsafe Vm Contextdist-lib/feed-CITSq9U9.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist-lib/utils-BiyO2GgI.mjs
MediumSecret Patterndist-lib/utils-BAW12ZBp.mjs
LowScripts Present
LowEvaldist-lib/common-config-Ay0tzsG5.mjs
LowWeak Cryptodist-lib/channel-iqYHBelr.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License