registry  /  wp-studio  /  1.15.0

wp-studio@1.15.0

WordPress Studio CLI

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 1,268 file(s), 40.7 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.wordpress.org, appscdn.wordpress.com, assets-cdn.github.com, assets.zyrosite.com, automattic.com, base-ui.com, bit.ly, bugs.jquery.com, cdn.dashjs.org, cdn.jsdelivr.net, davidwalsh.name, dev.ean.com, dev.mysql.com, developer.mozilla.org, developer.wordpress.com, developer.wordpress.org, docs.jquery.com, dom.spec.whatwg.org, domain.com, ecma-international.org, eev.ee, en.wikipedia.org, example.com, fb.me, fonts.gstatic.com, get.adobe.com, github.com, gitlab.com, gravatar.com, img.youtube.com, jquery.org, jqueryvalidation.org, json-schema.org, lodash.com, mathiasbynens.be, mercantile.wordpress.org, momentjs.com, my-site-replica.wp.local, nodejs.org, npms.io, openlayers.org, placeholder.invalid, player.vimeo.com, popper.js.org, public-api.wordpress.com, purl.org, radix-ui.com, raw.githubusercontent.com
Oversized source lightweight scan
dist/cli/admin-credentials-CxvNpb5L.mjs3.15 MB file, sampled 256 KB
FilesystemHighEntropyStringsUrlStringsappscdn.wordpress.comgithub.comnodejs.orgwordpress.com
dist/cli/data-liberation-agent/dist/mcp-server.bundle.mjs3.55 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedProtestware
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/block-editor.js2.70 MB file, sampled 256 KB
FilesystemChildProcessObfuscatedHighEntropyStringsUrlStringsfb.me
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/block-library.js2.57 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsdom.spec.whatwg.orggithub.comschemas.wp.orgupload.wikimedia.orgwww.w3.org
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/components.js3.83 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringswww.w3.org
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.js2.50 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsfb.mes.w.orgwordpress.orgwww.w3.org

Source & flagged code

10 flagged · loading source
dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.jsView file
84patternName = generic_password severity = medium line = 84 matchedText = '&passwo...d );
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.jsView on unpkg · L84
dist/cli/wp-files/phpmyadmin/js/dist/functions.jsView file
3458// eslint-disable-next-line no-eval L3459: eval(callback); L3460: } else {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/wp-files/phpmyadmin/js/dist/functions.jsView on unpkg · L3458
dist/cli/wp-files/phpmyadmin/js/dist/ol.jsView file
6exports.default = void 0; L7: var _control = require("ol/control.js"); L8: var _coordinate = require("ol/coordinate.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/wp-files/phpmyadmin/js/dist/ol.jsView on unpkg · L6
dist/cli/data-liberation-agent/dist/lib/replicate/local-data/scaffold-model.jsView file
1import { runInNewContext } from 'node:vm'; L2: import { DATA_MODEL_SCHEMA } from './types.js';
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/cli/data-liberation-agent/dist/lib/replicate/local-data/scaffold-model.jsView on unpkg · L1
dist/cli/data-liberation-agent/dist/lib/replicate/parity/parity-classify.jsView file
1// src/lib/replicate/parity/parity-classify.ts L2: //
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/data-liberation-agent/dist/lib/replicate/parity/parity-classify.jsView on unpkg · L1
dist/cli/wp-files/phpmyadmin/vendor/tecnickcom/tcpdf/fonts/dejavusansb.zView file
path = dist/cli/wp-[redacted].z kind = high_entropy_blob sizeBytes = 347269 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/cli/wp-files/phpmyadmin/vendor/tecnickcom/tcpdf/fonts/dejavusansb.zView on unpkg
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.jsView file
path = dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.js kind = oversized_source_file sizeBytes = 2617702 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.jsView on unpkg
dist/cli/config-BRpv2qyH.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = wp-studio@1.13.0 matchedIdentity = npm:d3Atc3R1ZGlv:1.13.0 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/config-BRpv2qyH.mjsView on unpkg
dist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.jsView file
1917patternName = generic_password severity = medium line = 1917 matchedText = // risky...ble"
Medium
Secret Pattern

Hardcoded password in dist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.js

dist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.jsView on unpkg · L1917
dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = !functio...pp);
Medium
Secret Pattern

Hardcoded password in dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.js

dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.jsView on unpkg · L2

Findings

3 High9 Medium10 Low
HighShips High Entropy Blobdist/cli/wp-files/phpmyadmin/vendor/tecnickcom/tcpdf/fonts/dejavusansb.z
HighOversized Source Filedist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.js
HighPrevious Version Dangerous Deltadist/cli/config-BRpv2qyH.mjs
MediumSecret Patterndist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.js
MediumDynamic Requiredist/cli/wp-files/phpmyadmin/js/dist/ol.js
MediumUnsafe Vm Contextdist/cli/data-liberation-agent/dist/lib/replicate/local-data/scaffold-model.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.js
MediumSecret Patterndist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/wp-files/phpmyadmin/js/dist/functions.js
LowWeak Cryptodist/cli/data-liberation-agent/dist/lib/replicate/parity/parity-classify.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License