critical
suspicious.env_credential_access
- Location
- dist/index.cjs:153
- Finding
- Environment variable access combined with network send.
- Evidence
var env = process.env;
liangzimixin-test
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.obfuscated_code
Findings (7)
critical
suspicious.env_credential_access
- Location
- dist/setup-entry.cjs:153
- Finding
- Environment variable access combined with network send.
- Evidence
var env = process.env;
critical
suspicious.exposed_secret_literal
- Location
- dist/index.cjs:40670
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
accessToken: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- dist/quantum-sdk/index.cjs:4147
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const response = await http2.post(url, data, { headers: { Authorization: [REDACTED] } });
critical
suspicious.exposed_secret_literal
- Location
- dist/setup-entry.cjs:39134
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
accessToken: [REDACTED],
warn
suspicious.obfuscated_code
- Location
- dist/index.cjs:9089
- Finding
- Potential obfuscated payload detected.
- Evidence
req.end(Buffer.from(jsonStringify(options, this.options.replacer), "utf8"));
warn
suspicious.obfuscated_code
- Location
- dist/setup-entry.cjs:9089
- Finding
- Potential obfuscated payload detected.
- Evidence
req.end(Buffer.from(jsonStringify(options, this.options.replacer), "utf8"));