Baidu App

AdvisoryAudited by Static analysis on May 11, 2026.

Overview

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Findings (4)

critical

suspicious.dynamic_code_execution

Location: dist/index.js:2682
Finding: Dynamic code execution detected.
Evidence: render = new Function(argument, "_", source);

critical

suspicious.env_credential_access

Location: dist/index.js:367
Finding: Environment variable access combined with network send.
Evidence: if (typeof process === "object" && process && process.env && process.env.Q_DEBUG) {

critical

suspicious.exposed_secret_literal

Location: dist/index.js:14588
Finding: File appears to expose a hardcoded API secret or token.
Evidence: var authorization = [REDACTED](

warn

suspicious.obfuscated_code

Location: dist/index.js:6196
Finding: Potential obfuscated payload detected.
Evidence: headers["Proxy-Authorization"] = `Basic ${Buffer.from(proxy.auth).toString("base64")}`;