Skip to content

security: 23 Critical/High panic-attack findings need human triage (Track C) #99

Open
Open
security: 23 Critical/High panic-attack findings need human triage (Track C)#99
@hyperpolymath

Description

@hyperpolymath
hyperpolymath
opened on May 26, 2026

panic-attack estate sweep — Track C tracking issue

panic-attack assail flagged the findings below in this repo on 2026-05-26. They are aggregated here for human triage rather than as individual PRs because each requires judgement (supply-chain pin choice, schema-design call, mutation-test gap, etc.).

PA001/PA007 UnsafeCode/UnsafeFFI findings are NOT in this list (Track A covers PA001/PA007 separately via PR #98). Findings already suppressed in audits/assail-classifications.a2ml are also excluded.

Estate tracker: hyperpolymath/panic-attack#32.

DynamicCodeExecution (2 findings)

file:line list 
High  main-game/dist/assets/webworkerAll-DNs-UuZS.js:?  DOM manipulation (innerHTML/document.write) in main-game/dist/assets/webworkerAll-DNs-UuZS.js
### `ExcessivePermissions` (1 findings)
file:line list
### `HardcodedSecret` (12 findings)
file:line list 
Critical  src/app/tools/PasswordCracker.res.mjs:?  Possible hardcoded secret in src/app/tools/PasswordCracker.res.mjs
Critical  src/app/devices/GlobalNetworkData.res:?  Possible hardcoded secret in src/app/devices/GlobalNetworkData.res
Critical  src/app/devices/GlobalNetworkData.res.mjs:?  Possible hardcoded secret in src/app/devices/GlobalNetworkData.res.mjs
Critical  tests/unit/tools/PasswordCracker_test.mjs:?  Possible hardcoded secret in tests/unit/tools/PasswordCracker_test.mjs
Critical  main-game/dist/assets/index-Cdt-JTFK.js:?  Possible hardcoded secret in main-game/dist/assets/index-Cdt-JTFK.js
Critical  lib/bs/src/app/tools/PasswordCracker.res:?  Possible hardcoded secret in lib/bs/src/app/tools/PasswordCracker.res
Critical  lib/bs/src/app/tools/PasswordCracker.res.mjs:?  Possible hardcoded secret in lib/bs/src/app/tools/PasswordCracker.res.mjs
Critical  lib/bs/src/app/devices/GlobalNetworkData.res:?  Possible hardcoded secret in lib/bs/src/app/devices/GlobalNetworkData.res
Critical  lib/bs/src/app/devices/GlobalNetworkData.res.mjs:?  Possible hardcoded secret in lib/bs/src/app/devices/GlobalNetworkData.res.mjs
Critical  lib/ocaml/PasswordCracker.res:?  Possible hardcoded secret in lib/ocaml/PasswordCracker.res
Critical  lib/ocaml/GlobalNetworkData.res:?  Possible hardcoded secret in lib/ocaml/GlobalNetworkData.res
### `SupplyChain` (1 findings)
file:line list
### `UnsafeDeserialization` (7 findings)
file:line list 
High  src/app/screens/BalanceAnalyserModel.res:?  1 JSON.parseExn calls in src/app/screens/BalanceAnalyserModel.res (use JSON.parse for safe Result)
High  vm/lib/ocaml/benchmark.res:?  1 JSON.parseExn calls in vm/lib/ocaml/benchmark.res (use JSON.parse for safe Result)
High  lib/bs/src/app/proven/SafeJson.res:?  2 JSON.parseExn calls in lib/bs/src/app/proven/SafeJson.res (use JSON.parse for safe Result)
High  lib/bs/src/app/screens/BalanceAnalyserModel.res:?  1 JSON.parseExn calls in lib/bs/src/app/screens/BalanceAnalyserModel.res (use JSON.parse for safe Result)
High  lib/ocaml/SafeJson.res:?  2 JSON.parseExn calls in lib/ocaml/SafeJson.res (use JSON.parse for safe Result)
High  lib/ocaml/BalanceAnalyserModel.res:?  1 JSON.parseExn calls in lib/ocaml/BalanceAnalyserModel.res (use JSON.parse for safe Result)

🤖 Discovered during the panic-attack estate sweep (2026-05-26). See hyperpolymath/panic-attack#32 for campaign tracker.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions