registry  /  rsshub  /  1.0.0-master.e171994

rsshub@1.0.0-master.e171994

Make RSS Great Again!

Static Scan Results

scanned 16h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
CopyleftLicense
scanned 3,592 file(s), 10.4 MB of source, external domains: 005.tv, 0x80.pl, 0xxx.ws, 1.1.1.1, 119.29.146.143, 127.0.0.1, 141jav.com, 141ppv.com, 18comic.org, 1x.com, 2048.info, 210.26.0.114, 2yuan.xjtu.edu.cn, 360zy.com, 3g.163.com, 3g.dxy.cn, 4a735ea38f8146198dc205d2e2d1bd28.z3c.jin10.com, 4kup.net, 500px.com.cn, 54youth.nwsuaf.edu.cn, 58.213.82.179, 60s.aa1.cn, 6api.ycwb.com, 7mmtv.sx, 81rc.81.cn, 82.157.138.16, 95.216.22.207, 9oyi4rk426.execute-api.ca-central-1.amazonaws.com, 9to5google.com, 9to5mac.com, 9to5toys.com, a.4cdn.org, a.ajmide.com, aa.nycu.edu.tw, aamacau.com, aao.nuaa.edu.cn, abc.net.au, about.netflix.com, about.voronoiapp.com, abs.twimg.com, ac.qq.com, academia.edu, academic.oup.com, accounts.spotify.com, acg.gamer.com.tw, acg17.com, acm.ecnu.edu.cn, adam-weekly-api-server-prod-ufaummkd5q-de.a.run.app, addons.mozilla.org, adma.ustb.edu.cn
Oversized source lightweight scan
dist-lib/routes-CE6LuW28.mjs3.90 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStrings0xxx.ws141jav.com141ppv.com1x.com81rc.81.cnbaiyong.zcool.com.cndy.163.comgithub.comhot.zyw.asiainfo.10000link.cominstant.1point3acres.comjmcomic.mejmcomic1.mem.21jingji.comnews-at.zhihu.comnews.10jqka.com.cnoffer.1point3acres.comrent.591.com.twrsshub.appt1.daumcdn.netwww.199it.comwww.1lou.mewww.30secondsofcode.orgwww.423down.com
dist-lib/routes-CoxQgYup.mjs3.94 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStrings0xxx.ws141jav.com141ppv.com1x.com81rc.81.cnbaiyong.zcool.com.cnconsole.developers.google.comdy.163.comgithub.comhot.zyw.asiainfo.10000link.cominstant.1point3acres.comjmcomic.mejmcomic1.mem.21jingji.comnews-at.zhihu.comnews.10jqka.com.cnoffer.1point3acres.comrent.591.com.twrsshub.appt1.daumcdn.netwww.199it.comwww.1lou.mewww.30secondsofcode.org

Source & flagged code

12 flagged · loading source
dist-lib/latest-DqQsMpfh.mjsView file
10patternName = private_key_rsa severity = critical line = 10 matchedText = const rs...--";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-lib/latest-DqQsMpfh.mjsView on unpkg · L10
10patternName = private_key_rsa severity = critical line = 10 matchedText = const rs...--";
Critical
Secret Pattern

RSA private key in dist-lib/latest-DqQsMpfh.mjs

dist-lib/latest-DqQsMpfh.mjsView on unpkg · L10
dist-lib/common-config-DLVB06mr.mjsView file
11const timezone$1 = timezone; L12: if (regex.test(result)) result = eval(result); L13: return result;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist-lib/common-config-DLVB06mr.mjsView on unpkg · L11
dist-lib/registry-BUO1P6J8.mjsView file
493const relativeModulePath = filePath.slice(targetDirectoryPath.length); L494: modules[relativeModulePath] = await import(pathToFileURL(filePath).href); L495: }));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-lib/registry-BUO1P6J8.mjsView on unpkg · L493
dist-lib/feed-DfctHvRI.mjsView file
22}; L23: const rootUrl = "https://locals.com"; L24: const route = { ... L203: const response = await rofetch.raw(`${rootUrl}/_server`, { L204: body: createRequestBody(args), L205: headers: {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist-lib/feed-DfctHvRI.mjsView on unpkg · L22
dist-lib/podcast-tVaXpKvP.mjsView file
18optional: true, L19: description: "用户id, 部分专辑需要会员身份,用户id可以通过从网页端登录蜻蜓fm后使用开发者工具,在控制台中运行JSON.parse(localStorage.getItem(\"user\")).qingting_id获取" L20: }] ... L33: const path = `/audiostream/redirect/${channelId}/${mediaId}?access_token=&device_id=MOBILESITE&qingting_id=${qingtingId}&t=${Date.now()}`; L34: return `https://audio.qingting.fm${path}&sign=${crypto.createHmac("md5", "fpMn12&38f_2e").update(path).digest("hex").toString()}`; L35: } ... L43: const desc = response.data.description; L44: const { data: { programs } } = await rofetch(`https://i.qingting.fm/capi/channel/${channelId}/programs/${response.data.v}?curpage=1&pagesize=${pageSize}&order=asc`, { headers: { Re... L45: const { data: channelInfo } = await rofetch(`https://i.qingting.fm/capi/v3/channel/${channelId}?user_id=${qingtingId}`);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-lib/podcast-tVaXpKvP.mjsView on unpkg · L18
dist-lib/routes-CE6LuW28.mjsView file
path = dist-lib/routes-CE6LuW28.mjs kind = oversized_source_file sizeBytes = 4090719 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-lib/routes-CE6LuW28.mjsView on unpkg
dist-lib/pickup-CGB7mVvx.mjsView file
13patternName = supabase_service_key severity = critical line = 13 matchedText = const re...K0";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/pickup-CGB7mVvx.mjs

dist-lib/pickup-CGB7mVvx.mjsView on unpkg · L13
dist-lib/prime-community-BpKNJy-4.mjsView file
26patternName = supabase_service_key severity = critical line = 26 matchedText = const TO...ZA";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/prime-community-BpKNJy-4.mjs

dist-lib/prime-community-BpKNJy-4.mjsView on unpkg · L26
dist-lib/utils-D2I5_fvA.mjsView file
39patternName = generic_password severity = medium line = 39 matchedText = return m...ce);
Medium
Secret Pattern

Hardcoded password in dist-lib/utils-D2I5_fvA.mjs

dist-lib/utils-D2I5_fvA.mjsView on unpkg · L39
dist-lib/utils-BiyO2GgI2.mjsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pw...75";
Medium
Secret Pattern

Hardcoded password in dist-lib/utils-BiyO2GgI2.mjs

dist-lib/utils-BiyO2GgI2.mjsView on unpkg · L3
dist-lib/charts-CQZv9KlV.mjsView file
92patternName = google_api_key severity = high line = 92 matchedText = key: "AI..._dM"
High
Secret Pattern

Google API key in dist-lib/charts-CQZv9KlV.mjs

dist-lib/charts-CQZv9KlV.mjsView on unpkg · L92

Findings

4 Critical2 High7 Medium8 Low
CriticalCritical Secretdist-lib/latest-DqQsMpfh.mjs
CriticalSecret Patterndist-lib/latest-DqQsMpfh.mjs
CriticalSecret Patterndist-lib/pickup-CGB7mVvx.mjs
CriticalSecret Patterndist-lib/prime-community-BpKNJy-4.mjs
HighOversized Source Filedist-lib/routes-CE6LuW28.mjs
HighSecret Patterndist-lib/charts-CQZv9KlV.mjs
MediumDynamic Requiredist-lib/registry-BUO1P6J8.mjs
MediumUnsafe Vm Contextdist-lib/feed-DfctHvRI.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist-lib/utils-D2I5_fvA.mjs
MediumSecret Patterndist-lib/utils-BiyO2GgI2.mjs
LowScripts Present
LowEvaldist-lib/common-config-DLVB06mr.mjs
LowWeak Cryptodist-lib/podcast-tVaXpKvP.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License