registry  /  @blnkfinance/blnk-cli  /  1.8.2

@blnkfinance/blnk-cli@1.8.2

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 83.9 KB of source, external domains: api.example.com, discord.gg, docs.blnkfinance.com, github.com

Source & flagged code

3 flagged · loading source
plugins.jsView file
1#!/usr/bin/env node L2: import axios from "axios"; L3: import sqlite3 from "sqlite3"; ... L14: L15: const appDataDir = path.join(os.homedir(), ".blnk-cli"); L16: const dbPath = path.join(appDataDir, "plugin-state.db"); ... L126: const pluginJsonPath = path.join(destination, "plugin.json"); L127: const pluginJson = JSON.parse( L128: fs.readFileSync(pluginJsonPath, "utf8") ... L354: chalk, L355: eventData: {}, L356: module,
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

plugins.jsView on unpkg · L1
core.jsView file
2import inquirer from "inquirer"; L3: import { spawn } from "child_process"; L4: import { fail, failFromError } from "./utils/errors.js"; L5: import { requestApi } from "./utils/axios.js"; L6: import { colorStatus, displayTable } from "./utils/output.js"; ... L254: function startSpinner(label) { L255: const stream = process.stderr; L256: let frameIndex = 0; L257: stream.write(spinnerGray(`${SPINNER_FRAMES[frameIndex]} ${label}`)); L258: ... L277: const trimmed = input.trim(); L278: return trimmed ? JSON.parse(trimmed) : {};
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

core.jsView on unpkg · L2
matchType = previous_version_dangerous_delta matchedPackage = @blnkfinance/blnk-cli@1.8.1 matchedIdentity = npm:QGJsbmtmaW5hbmNlL2JsbmstY2xp:1.8.1 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

core.jsView on unpkg

Findings

2 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitycore.js
HighPrevious Version Dangerous Deltacore.js
MediumUnsafe Vm Contextplugins.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License