Is @tagspaces/extensions safe to install?

@tagspaces/extensions was flagged as CRITICAL RISK (risk score 26126) with 1887 findings detected across 989 files. Review the findings before installing.

What security issues were found in @tagspaces/extensions?

Sigil detected 1887 findings in @tagspaces/extensions, including patterns related to code_patterns, obfuscation, provenance, install_hooks, credentials. See the full scan report for details.

@tagspaces/extensions Security Scan — CRITICAL RISK | Sigil

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/ebook-viewer/libs/epubjs/epub.min.js:1

!function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e(require("JSZip")):"function"==typeof define&&define.amd?define(["JSZip"],e):"object"==typeof exports?exports.ePub=e(require("JSZip")):t.ePub=e(t.JSZip)}(window,(function(t){return function(t){var e={};function i(n){if(e[n])return e[n].exports;var s=e[n]={i:n,l:!1,exports:{}};return t[n].call(s.exports,s,s.exports,i),s.l=!0,s.exports}return i.m=t,i.c=e,i.d=function(t,e,n){i.o(t,e)||Object.defineProperty(t,e,{enumera

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.js:9499

			// Create the final options object
			s = jQuery.ajaxSetup( {}, options ),

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.js:9952


		// Make this explicit, since user can override this through ajaxSetup (trac-11264)
		type: "GET",

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.js:10221

// Install script dataType
jQuery.ajaxSetup( {
	accepts: {

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.js:10285

// Default jsonp settings
jQuery.ajaxSetup( {
	jsonp: "callback",

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.min.js:2

/*! jQuery v3.6.4 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.min.js:2

/*! jQuery v3.6.4 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/libs/jquery/dist/jquery.min.js:2

/*! jQuery v3.6.4 | (c) OpenJS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/md-editor/build/assets/index-CZPe4WLU.js:67

`):e.addNode("break")}}}));st(pp.node,{displayName:"NodeSchema<hardbreak>",group:"Hardbreak"});st(pp.ctx,{displayName:"NodeSchemaCtx<hardbreak>",group:"Hardbreak"});const cA=bn("InsertHardbreak",t=>()=>(e,n)=>{const{selection:r,tr:i}=e;if(!(r instanceof Kt))return!1;if(r.empty){const s=r.$from.node();if(s.childCount>0&&s.lastChild?.type.name==="hardbreak")return n?.(i.replaceRangeWith(r.to-1,r.to,e.schema.node("paragraph")).setSelection(kn.near(i.doc.resolve(r.to))).scrollIntoView()),!0}return n

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/md-editor/build/assets/index-CZPe4WLU.js:71

`,inConstruct:"tableCell"},{atBreak:!0,character:"|",after:"[	 :-]"},{character:"|",inConstruct:"tableCell"},{atBreak:!0,character:":",after:"-"},{atBreak:!0,character:"-",after:"[:|-]"}],handlers:{inlineCode:f,table:o,tableCell:l,tableRow:a}};function o(O,m,y,v){return u(c(O,y,v),O.align)}function a(O,m,y,v){const x=h(O,y,v),k=u([x]);return k.slice(0,k.indexOf(`
`))}function l(O,m,y,v){const x=y.enter("tableCell"),k=y.enter("phrasing"),P=y.containerPhrasing(O,{...v,before:s,after:s});return k()

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/md-editor/build/assets/index-CZPe4WLU.js:72

`))}function l(O,m,y,v){const x=y.enter("tableCell"),k=y.enter("phrasing"),P=y.containerPhrasing(O,{...v,before:s,after:s});return k(),x(),P}function u(O,m){return FPe(O,{align:m,alignDelimiters:r,padding:n,stringLength:i})}function c(O,m,y){const v=O.children;let x=-1;const k=[],P=m.enter("table");for(;++x<v.length;)k[x]=h(v[x],m,y);return P(),k}function h(O,m,y){const v=O.children;let x=-1;const k=[],P=m.enter("tableRow");for(;++x<v.length;)k[x]=l(v[x],O,m,y);return P(),k}function f(O,m,y){let

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/md-editor/build/assets/index-CZPe4WLU.js:336

`),u&&(O+=c.move(u+`
`)),O+=c.move(h),f(),O}function r(s,o,a){let l=s.value||"",u=1;for(e||u++;new RegExp("(^|[^$])"+"\\$".repeat(u)+"([^$]|$)").test(l);)u++;const c="$".repeat(u);/[^ \r\n]/.test(l)&&(/^[ \r\n]/.test(l)&&/[ \r\n]$/.test(l)||/^\$|\$$/.test(l))&&(l=" "+l+" ");let h=-1;for(;++h<a.unsafe.length;){const f=a.unsafe[h];if(!f.atBreak)continue;const O=a.compilePattern(f);let m;for(;m=O.exec(l);){let y=m.index;l.codePointAt(y)===10&&l.codePointAt(y-1)===13&&y--,l=l.slice(0,y)+" "+l.slice(

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/media-player/assets/index-C9ND7LT8.js:41

Error generating stack: `+s.message+`
`+s.stack}return{value:e,source:n,stack:i,digest:null}}function Cy(e,n,t){return{value:e,source:null,stack:t??null,digest:n??null}}function H3(e,n){try{console.error(n.value)}catch(t){setTimeout(function(){throw t})}}var gO=typeof WeakMap=="function"?WeakMap:Map;function x7(e,n,t){t=to(-1,t),t.tag=3,t.payload={element:null};var r=n.value;return t.callback=function(){O1||(O1=!0,J3=r),H3(e,n)},t}function E7(e,n,t){t=to(-1,t),t.tag=3;var r=e.type.getDerivedStat

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

package/slides-viewer/libs/reveal.js/plugin/highlight/highlight.esm.js:1

function e(t){return t instanceof Map?t.clear=t.delete=t.set=function(){throw new Error("map is read-only")}:t instanceof Set&&(t.add=t.clear=t.delete=function(){throw new Error("set is read-only")}),Object.freeze(t),Object.getOwnPropertyNames(t).forEach((function(a){var n=t[a];"object"!=typeof n||Object.isFrozen(n)||e(n)})),t}var t=e,a=e;t.default=a;class n{constructor(e){void 0===e.data&&(e.data={}),this.data=e.data,this.isMatchIgnored=!1}ignoreMatch(){this.isMatchIgnored=!0}}function i(e){ret

Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

package/slides-viewer/libs/reveal.js/plugin/highlight/highlight.js:1

!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).RevealHighlight=t()}(this,(function(){"use strict";function e(t){return t instanceof Map?t.clear=t.delete=t.set=function(){throw new Error("map is read-only")}:t instanceof Set&&(t.add=t.clear=t.delete=function(){throw new Error("set is read-only")}),Object.freeze(t),Object.getOwnPropertyNames(t).forEach((func

Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

@tagspaces/extensions

Summary

Provenance

Findings by Phase

Install Hooks

Code Patterns

Obfuscation

Credentials

Provenance

Badge

Scan your own packages

Get threat intelligence and product updates

Other npm scans