registry  /  @awsless/cli  /  0.0.38

@awsless/cli@0.0.38

⚠ Under review

<p align="center">Awsless - Infrastructure as a code</p>

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 1.63 MB of source, external domains: 169.254.169.254, aws.amazon.com, docs.aws.amazon.com, github.com, json-schema.org, portal.sso, portal.sso-fips, sts.amazonaws.com

Source & flagged code

10 flagged · loading source
dist/prebuild/pubsub-server/index.mjsView file
4contains invisible/control Unicode U+FEFF (zero width no-break space) Deserialization error: to see the raw response, inspect the hidden field {error}.$response on this object.`),e}}})),nn=u((e=>{Object.defineProperty(e,`__esModule`,{value:!0}),e.serializerMiddleware=void 0,e.serializerMiddleware=(e,t)=>(n,
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/prebuild/pubsub-server/index.mjsView on unpkg · L4
25`);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),je=async(e,t)=>{let n=await Ae(e,t);return n.... L26: For more information, please visit: https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html`);let i=e.originalExpiration??e.expiration;return{...e,...i?{ori... L27: `+y.join(`
High
Child Process

Package source references child process execution.

dist/prebuild/pubsub-server/index.mjsView on unpkg · L25
11`)?``:void 0});t.addEntity(`#xD`,`\r`),t.addEntity(`#10`,` L12: `);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),K=async(e,t)=>{let n=await G(e,t);return n.Er... L13: `);return this.signString(v,{signingDate:r,signingRegion:u,signingService:l})}async signString(e,{signingDate:n=new Date,signingRegion:i,signingService:a}={}){let o=await this.cred... ... L22: ${n} L23: ${(0,t.toHex)(s)}`}getCanonicalPath({path:e}){if(this.uriEscapePath){let t=[];for(let n of e.split(`/`))n?.length!==0&&n!==`.`&&(n===`..`?t.pop():t.push(n));let n=`${e?.startsWith(... L24: `)?``:void 0});t.addEntity(`#xD`,`\r`),t.addEntity(`#10`,` L25: `);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),je=async(e,t)=>{let n=await Ae(e,t);return n.... L26: For more information, please visit: https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html`);let i=e.originalExpiration??e.expiration;return{...e,...i?{ori... L27: `+y.join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/prebuild/pubsub-server/index.mjsView on unpkg · L11
11`)?``:void 0});t.addEntity(`#xD`,`\r`),t.addEntity(`#10`,` L12: `);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),K=async(e,t)=>{let n=await G(e,t);return n.Er... L13: `);return this.signString(v,{signingDate:r,signingRegion:u,signingService:l})}async signString(e,{signingDate:n=new Date,signingRegion:i,signingService:a}={}){let o=await this.cred... ... L22: ${n} L23: ${(0,t.toHex)(s)}`}getCanonicalPath({path:e}){if(this.uriEscapePath){let t=[];for(let n of e.split(`/`))n?.length!==0&&n!==`.`&&(n===`..`?t.pop():t.push(n));let n=`${e?.startsWith(... L24: `)?``:void 0});t.addEntity(`#xD`,`\r`),t.addEntity(`#10`,` L25: `);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),je=async(e,t)=>{let n=await Ae(e,t);return n.... L26: For more information, please visit: https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html`);let i=e.originalExpiration??e.expiration;return{...e,...i?{ori... L27: `+y.join(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/prebuild/pubsub-server/index.mjsView on unpkg · L11
1import{createRequire as e}from"node:module";import{randomUUID as t}from"node:crypto";import n from"crypto";var r=Object.create,i=Object.defineProperty,a=Object.getOwnPropertyDescri... L2: `).slice(0,5).filter(e=>!e.includes(`stackTraceWarning`)).join(` ... L11: `)?``:void 0});t.addEntity(`#xD`,`\r`),t.addEntity(`#10`,` L12: `);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),K=async(e,t)=>{let n=await G(e,t);return n.Er... L13: `);return this.signString(v,{signingDate:r,signingRegion:u,signingService:l})}async signString(e,{signingDate:n=new Date,signingRegion:i,signingService:a}={}){let o=await this.cred... ... L22: ${n} L23: ${(0,t.toHex)(s)}`}getCanonicalPath({path:e}){if(this.uriEscapePath){let t=[];for(let n of e.split(`/`))n?.length!==0&&n!==`.`&&(n===`..`?t.pop():t.push(n));let n=`${e?.startsWith(... L24: `)?``:void 0});t.addEntity(`#xD`,`\r`),t.addEntity(`#10`,` L25: `);let i=t.parse(e),a=`#text`,o=Object.keys(i)[0],s=i[o];return s[a]&&(s[o]=s[a],delete s[a]),(0,n.getValueFromTextNode)(s)}return{}}),je=async(e,t)=>{let n=await Ae(e,t);return n.... L26: For more information, please visit:
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/prebuild/pubsub-server/index.mjsView on unpkg · L1
dist/bin.jsView file
2844imports = /* @__PURE__ */ new Map(); L2845: addImport(varName, path) { L2846: this.imports.set(varName, path);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin.jsView on unpkg · L2844
140// src/util/aws.ts L141: var hasRuntimeAwsCredentials = () => !!(process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI || process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI || process.env.AWS_ACCESS_KEY_ID || pro... L142: var getCredentials = async (profile) => { ... L152: const client = new STSClient({ credentials, region }); L153: const result = await client.send(new GetCallerIdentityCommand({})); L154: return result.Account; ... L532: import { createCustomProvider as createCustomProvider4, createCustomResourceClass as createCustomResourceClass4 } from "@terraforge/core"; L533: import { resolveNs } from "dns/promises"; L534: import { z as z4 } from "zod"; ... L608: import { join, normalize, relative } from "path"; L609: var root = process.cwd(); L610: var directories = {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin.jsView on unpkg · L140
dist/layers/sharp-arm.zipView file
path = dist/layers/sharp-arm.zip kind = high_entropy_blob sizeBytes = 7298926 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/layers/sharp-arm.zipView on unpkg
path = dist/layers/sharp-arm.zip kind = compressed_blob sizeBytes = 7298926 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/layers/sharp-arm.zipView on unpkg
path = dist/layers/sharp-arm.zip kind = nested_archive_needs_inspection sizeBytes = 7298926 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/layers/sharp-arm.zipView on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalTrojan Source Unicodedist/prebuild/pubsub-server/index.mjs
HighChild Processdist/prebuild/pubsub-server/index.mjs
HighSame File Env Network Executiondist/prebuild/pubsub-server/index.mjs
HighCommand Output Exfiltrationdist/prebuild/pubsub-server/index.mjs
HighCloud Metadata Accessdist/prebuild/pubsub-server/index.mjs
HighShips High Entropy Blobdist/layers/sharp-arm.zip
MediumDynamic Requiredist/bin.js
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobdist/layers/sharp-arm.zip
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/bin.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/layers/sharp-arm.zip