registry  /  tinode-webapp  /  0.25.3

tinode-webapp@0.25.3

⚠ Under review

Tinode messenger for the web

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 123 file(s), 5.12 MB of source, external domains: cdn.jsdelivr.net, fcmregistrations.googleapis.com, firebaseinstallations.googleapis.com, github.com, reactjs.org, securetoken.google.com, tinode.co, www.googletagmanager.com

Source & flagged code

4 flagged · loading source
umd/index.prod.jsView file
1/*! For license information please see index.prod.js.LICENSE.txt */ L2: !function(){"use strict";var e,t,s,i,n={3272:function(e,t,s){const i="TinodeWeb",n=i+"/0.25.3",a={hosted:"web.tinode.co",local:"localhost:6060"},o=a.hosted;s.d(t,["C3",0,n,"HX",0,o... L3: //# sourceMappingURL=index.prod.js.map
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

umd/index.prod.jsView on unpkg · L1
1/*! For license information please see index.prod.js.LICENSE.txt */ L2: !function(){"use strict";var e,t,s,i,n={3272:function(e,t,s){const i="TinodeWeb",n=i+"/0.25.3",a={hosted:"web.tinode.co",local:"localhost:6060"},o=a.hosted;s.d(t,["C3",0,n,"HX",0,o... L3: //# sourceMappingURL=index.prod.js.map
Low
Eval

Package source references a known benign dynamic code generation pattern.

umd/index.prod.jsView on unpkg · L1
umd/src_views_messages-view_jsx.dev.jsView file
2226contains invisible/control Unicode U+200D (zero width joiner) textSizeClass += ' emoji-' + (content || '').match(/(?:👨🏻<U+200D>❤️<U+200D>💋<U+200D>👨🏻|👨🏻<U+200D>❤️<U+200D>💋<U+200D>👨🏼|👨🏻<U+200D>❤️<U+200D>💋<U+200D>👨🏽|👨🏻<U+200D>❤️<U+200D>💋<U+200D>👨🏾|👨🏻<U+200D>❤️<U+200D>💋<U+200D>👨🏿|👨🏼<U+200D>❤️<U+20
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

umd/src_views_messages-view_jsx.dev.jsView on unpkg · L2226
audio/dialing.m4aView file
path = audio/dialing.m4a kind = high_entropy_blob sizeBytes = 4830 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

audio/dialing.m4aView on unpkg

Findings

1 Critical3 High3 Medium6 Low
CriticalTrojan Source Unicodeumd/src_views_messages-view_jsx.dev.js
HighChild Process
HighSame File Env Network Executionumd/index.prod.js
HighShips High Entropy Blobaudio/dialing.m4a
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalumd/index.prod.js
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings