registry  /  rsshub  /  1.0.0-master.a4002fa

rsshub@1.0.0-master.a4002fa

Make RSS Great Again!

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
CopyleftLicense
scanned 3,589 file(s), 10.4 MB of source, external domains: 005.tv, 0x80.pl, 0xxx.ws, 1.1.1.1, 119.29.146.143, 127.0.0.1, 141jav.com, 141ppv.com, 18comic.org, 1x.com, 2048.info, 210.26.0.114, 2yuan.xjtu.edu.cn, 360zy.com, 3g.163.com, 3g.dxy.cn, 4a735ea38f8146198dc205d2e2d1bd28.z3c.jin10.com, 4kup.net, 500px.com.cn, 54youth.nwsuaf.edu.cn, 58.213.82.179, 60s.aa1.cn, 6api.ycwb.com, 7mmtv.sx, 81rc.81.cn, 82.157.138.16, 95.216.22.207, 9oyi4rk426.execute-api.ca-central-1.amazonaws.com, 9to5google.com, 9to5mac.com, 9to5toys.com, a.4cdn.org, a.ajmide.com, aa.nycu.edu.tw, aamacau.com, aao.nuaa.edu.cn, abc.net.au, about.netflix.com, about.voronoiapp.com, abs.twimg.com, ac.qq.com, academia.edu, academic.oup.com, accounts.spotify.com, acg.gamer.com.tw, acg17.com, acm.ecnu.edu.cn, adam-weekly-api-server-prod-ufaummkd5q-de.a.run.app, addons.mozilla.org, adma.ustb.edu.cn
Oversized source lightweight scan
dist-lib/routes-Chq8gKSv.mjs3.94 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStrings0xxx.ws141jav.com141ppv.com1x.com81rc.81.cnbaiyong.zcool.com.cnconsole.developers.google.comdy.163.comgithub.comhot.zyw.asiainfo.10000link.cominstant.1point3acres.comjmcomic.mejmcomic1.mem.21jingji.comnews-at.zhihu.comnews.10jqka.com.cnoffer.1point3acres.comrent.591.com.twrsshub.appt1.daumcdn.netwww.199it.comwww.1lou.mewww.30secondsofcode.org
dist-lib/routes-swUjrZ6X.mjs3.90 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStrings0xxx.ws141jav.com141ppv.com1x.com81rc.81.cnbaiyong.zcool.com.cndy.163.comgithub.comhot.zyw.asiainfo.10000link.cominstant.1point3acres.comjmcomic.mejmcomic1.mem.21jingji.comnews-at.zhihu.comnews.10jqka.com.cnoffer.1point3acres.comrent.591.com.twrsshub.appt1.daumcdn.netwww.199it.comwww.1lou.mewww.30secondsofcode.orgwww.423down.com

Source & flagged code

12 flagged · loading source
dist-lib/latest-B6A-F1H9.mjsView file
10patternName = private_key_rsa severity = critical line = 10 matchedText = const rs...--";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-lib/latest-B6A-F1H9.mjsView on unpkg · L10
10patternName = private_key_rsa severity = critical line = 10 matchedText = const rs...--";
Critical
Secret Pattern

RSA private key in dist-lib/latest-B6A-F1H9.mjs

dist-lib/latest-B6A-F1H9.mjsView on unpkg · L10
dist-lib/common-config-CSfT_Gyw.mjsView file
11const timezone$1 = timezone; L12: if (regex.test(result)) result = eval(result); L13: return result;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist-lib/common-config-CSfT_Gyw.mjsView on unpkg · L11
dist-lib/registry-C-rFZSwO.mjsView file
493const relativeModulePath = filePath.slice(targetDirectoryPath.length); L494: modules[relativeModulePath] = await import(pathToFileURL(filePath).href); L495: }));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-lib/registry-C-rFZSwO.mjsView on unpkg · L493
dist-lib/feed-BXYU9XJ3.mjsView file
22}; L23: const rootUrl = "https://locals.com"; L24: const route = { ... L203: const response = await rofetch.raw(`${rootUrl}/_server`, { L204: body: createRequestBody(args), L205: headers: {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist-lib/feed-BXYU9XJ3.mjsView on unpkg · L22
dist-lib/channel-BsCeeSwN.mjsView file
67name: "Channels", L68: description: `Get the channel from the Castbox channel URL. For example, the URL of the channel "Lemonade Stand" is \`https://castbox.fm/channel/Lemonade-Stand-id6776228\`, where \... L69:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-lib/channel-BsCeeSwN.mjsView on unpkg · L67
dist-lib/routes-swUjrZ6X.mjsView file
path = dist-lib/routes-swUjrZ6X.mjs kind = oversized_source_file sizeBytes = 4089768 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-lib/routes-swUjrZ6X.mjsView on unpkg
dist-lib/charts-4LfISV0E.mjsView file
92patternName = google_api_key severity = high line = 92 matchedText = key: "AI..._dM"
High
Secret Pattern

Google API key in dist-lib/charts-4LfISV0E.mjs

dist-lib/charts-4LfISV0E.mjsView on unpkg · L92
dist-lib/utils-CW8BK0_S.mjsView file
39patternName = generic_password severity = medium line = 39 matchedText = return m...ce);
Medium
Secret Pattern

Hardcoded password in dist-lib/utils-CW8BK0_S.mjs

dist-lib/utils-CW8BK0_S.mjsView on unpkg · L39
dist-lib/pickup-D4YBJFM5.mjsView file
13patternName = supabase_service_key severity = critical line = 13 matchedText = const re...K0";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/pickup-D4YBJFM5.mjs

dist-lib/pickup-D4YBJFM5.mjsView on unpkg · L13
dist-lib/utils-BiyO2GgI2.mjsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pw...75";
Medium
Secret Pattern

Hardcoded password in dist-lib/utils-BiyO2GgI2.mjs

dist-lib/utils-BiyO2GgI2.mjsView on unpkg · L3
dist-lib/prime-community-Be0z2bo9.mjsView file
26patternName = supabase_service_key severity = critical line = 26 matchedText = const TO...ZA";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/prime-community-Be0z2bo9.mjs

dist-lib/prime-community-Be0z2bo9.mjsView on unpkg · L26

Findings

4 Critical2 High7 Medium8 Low
CriticalCritical Secretdist-lib/latest-B6A-F1H9.mjs
CriticalSecret Patterndist-lib/latest-B6A-F1H9.mjs
CriticalSecret Patterndist-lib/pickup-D4YBJFM5.mjs
CriticalSecret Patterndist-lib/prime-community-Be0z2bo9.mjs
HighOversized Source Filedist-lib/routes-swUjrZ6X.mjs
HighSecret Patterndist-lib/charts-4LfISV0E.mjs
MediumDynamic Requiredist-lib/registry-C-rFZSwO.mjs
MediumUnsafe Vm Contextdist-lib/feed-BXYU9XJ3.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist-lib/utils-CW8BK0_S.mjs
MediumSecret Patterndist-lib/utils-BiyO2GgI2.mjs
LowScripts Present
LowEvaldist-lib/common-config-CSfT_Gyw.mjs
LowWeak Cryptodist-lib/channel-BsCeeSwN.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License