registry  /  wacomm  /  2.15.0

wacomm@2.15.0

⚠ Under review

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 5.56 MB of source, external domains: account.mapbox.com, api.mapbox.com, apps.mapbox.com, docs.mapbox.com, events.mapbox.cn, events.mapbox.com, fb.me, github.com, maplibre.org, mui.com, tiles.locationiq.com, www.mapbox.com, www.w3.org
Oversized source lightweight scan
dist/index-BMckDPha.mjs2.41 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStrings
dist/mapbox-gl-C1TX3PLe.mjs2.23 MB file, sampled 256 KB
NetworkHighEntropyStringsUrlStringsaccount.mapbox.comapi.mapbox.comapps.mapbox.comdocs.mapbox.comevents.mapbox.cnevents.mapbox.comgithub.comwww.mapbox.com

Source & flagged code

5 flagged · loading source
dist/maplibre-gl-OzPV8HBs.jsView file
1"use strict";const Ep=require("./index-BIFuviRU.js");function Dp(Ta,Ol){for(var Fr=0;Fr<Ol.length;Fr++){const ki=Ol[Fr];if(typeof ki!="string"&&!Array.isArray(ki)){for(const Or in ... L2: * MapLibre GL JS
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/maplibre-gl-OzPV8HBs.jsView on unpkg · L1
dist/index-BIFuviRU.jsView file
664contains invisible/control Unicode U+200E (left-to-right mark) `));return typeof i=="string"?{type:i,contentType:i==="meridiem"?"letter":"digit",maxLength:void 0}:{type:i.sectionType,contentType:i.contentType,maxLength:i.maxLength}},S1=(e,t)=>{const i=[],A=e.date(void 0,"default"),c=e.startOfWeek(A),p=
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/index-BIFuviRU.jsView on unpkg · L664
Trigger-reachable chain: manifest.main -> dist/wacomm.cjs.js -> dist/index-BIFuviRU.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index-BIFuviRU.jsView on unpkg
dist/mapbox-gl-C1TX3PLe.mjsView file
path = dist/mapbox-gl-C1TX3PLe.mjs kind = oversized_source_file sizeBytes = 2338662 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mapbox-gl-C1TX3PLe.mjsView on unpkg
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

2 Critical2 High4 Medium4 Low
CriticalTrojan Source Unicodedist/index-BIFuviRU.js
CriticalTrigger Reachable Dangerous Capabilitydist/index-BIFuviRU.js
HighOversized Source Filedist/mapbox-gl-C1TX3PLe.mjs
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requiredist/maplibre-gl-OzPV8HBs.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings