registry  /  @capgo/cli  /  8.24.5

@capgo/cli@8.24.5

⚠ Under review

A CLI to upload to capgo servers

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 24 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.19 MB of source, external domains: accounts.google.com, androidpublisher.googleapis.com, api.appstoreconnect.apple.com, api.capgo.app, appstoreconnect.apple.com, capacitorjs.com, capgo.app, cli.github.com, console.capgo.app, developer.android.com, developer.mozilla.org, docs.npmjs.com, eu.i.posthog.com, files.capgo.app, github.com, json-schema.org, mths.be, oauth2.googleapis.com, plugin.capgo.app, rafeca.com, s3.amazonaws.com, schemas.android.com, semver.org, support.google.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/index.js4.29 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsMinifiedUrlStringscapgo.appconsole.capgo.appdeveloper.android.comeu.i.posthog.comgithub.com

Source & flagged code

15 flagged · loading source
dist/src/sdk.jsView file
463patternName = private_key_rsa severity = critical line = 463 matchedText = `||Y==="...thm.
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/sdk.jsView on unpkg · L463
4`){if(Y)X+=O_("");let z=Q?H_(Q):void 0;if(Q&&z)X+=z_(z)}else if(H===` L5: `){if(Q&&H_(Q))X+=z_(Q);if(Y)X+=O_(Y)}}return X},lV0;var jN=s(()=>{EN();IN=`${mV0}8;;`,W_=new RegExp(`(?:\\${K_}(?<code>\\d+)m|\\${IN}(?<uri>.*)${AN})`,"y"),lV0=/\r?\n/});var U1=R(... L6: `),Y=0,Z=$;for(let U of Q){if(Z<=U.length)break;Z-=U.length+1,Y++}for(Y=Math.max(0,Math.min(Q.length-1,Y+J)),Z=Math.min(Z,Q[Y].length)+D;Z<0&&Y>0;)Y--,Z+=Q[Y].length+1;for(;Z>Q[Y].... L7: `),X=D.split(` L8: `),Q=Math.max(J.length,X.length),Y=[];for(let Z=0;Z<Q;Z++)J[Z]!==X[Z]&&Y.push(Z);return{lines:Y,numLinesBefore:J.length,numLinesAfter:X.length,numLines:Q}}function G$($){return $==... L9: `).map((F,U,G)=>{let q=Y?Y(F,U):F;return U===0?`${X}${q}`:U===G.length-1?`${Q}${q}`:`${J}${q}`}).join(` ... L14: `).slice(Y);this.output.write(Z.join(` L15: `)),this._prevFrame=$;return}}this.output.write(AD.erase.down())}this.output.write($),this.state==="initial"&&(this.state="active"),this._prevFrame=$}}}function sV0($,D){if($===voi... L16: `?`${D}█ ... L19: `&&(this._setUserInput(this.userInput.slice(0,this.cursor-1)+this.userInput.slice(this.cursor)),this._cursor--),!0):(this.#$(` L20: `),this._cursor++,!1)}constructor($){super(
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/src/sdk.jsView on unpkg · L4
131Trigger-reachable chain: manifest.exports -> dist/src/sdk.js L131: `)}function rS0($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function oS0(){return process.env.DEBUG}function tS0($){$.inspectOpts={};let D=Object.keys(dd.inspectOpts)... L132: `).map((D)=>D.trim()).join(" ")};md.O=function($){return this.inspectOpts.colors=this.useColors,p3.inspect($,this.inspectOpts)}});var o3=R((WM$,ZL)=>{if(typeof process>"u"||process... L133: L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:X,destStat:Q}=await oZ.checkPaths($,D,"copy",J);if(await oZ.checkParentPath... L135: L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:X,destStat:Q}=aZ.checkPathsSync($,D,"copy",J);if(aZ.checkParentPathsSync($,... L137: `,finalEOL:J=!0,replacer:X=null,spaces:Q}={}){let Y=J?D:"",Z=JSON.stringify($,X,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r... L138: `)];for(let[G,q]of U.entries()){if(X+=q,YW.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.co…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/sdk.jsView on unpkg · L131
463patternName = private_key_rsa severity = critical line = 463 matchedText = `||Y==="...thm.
Critical
Secret Pattern

RSA private key in dist/src/sdk.js

dist/src/sdk.jsView on unpkg · L463
472patternName = private_key_rsa severity = critical line = 472 matchedText = `+" - T...in(`
Critical
Secret Pattern

RSA private key in dist/src/sdk.js

dist/src/sdk.jsView on unpkg · L472
650patternName = private_key_rsa severity = critical line = 650 matchedText = All pack... Y=`
Critical
Secret Pattern

RSA private key in dist/src/sdk.js

dist/src/sdk.jsView on unpkg · L650
273L274: see https://github.com/jprichardson/node-fs-extra/issues/269`);jF.checkPaths($,D,"copy",(Q,Y)=>{if(Q)return X(Q);let{srcStat:Z,destStat:F}=Y;jF.checkParentPaths($,Z,D,"copy",(U)=>{... L275: `)}J60.check=qi0;async function Wi0($){var D;if((D=$.app.extConfig.server)===null||D===void 0?void 0:D.url)return null;if(["",".","..","../","./"].includes($.app.webDir))return`"${...
High
Child Process

Package source references child process execution.

dist/src/sdk.jsView on unpkg · L273
311export default config; L312: `}});var kH,p9,fE,L60,B60,E60,R60,A60;var hE=s(()=>{kH=B$(M60(),1),p9=B$(eW(),1),fE=kH.loadConfig,L60=kH.writeConfig,B60=p9.findMonorepoRoot,E60=p9.findNXMonorepoRoot,R60=p9.isMono... L313: `)}var v60=($,D)=>{$.name="$ZodError",Object.defineProperty($,"_zod",{value:$._zod,enumerable:!1}),Object.defineProperty($,"issues",{value:D,enumerable:!1}),$.message=JSON.stringif...
High
Eval

Package source references dynamic code evaluation.

dist/src/sdk.jsView on unpkg · L311
133L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:X,destStat:Q}=await oZ.checkPaths($,D,"copy",J);if(await oZ.checkParentPath... L135: L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:X,destStat:Q}=aZ.checkPathsSync($,D,"copy",J);if(aZ.checkParentPathsSync($,... L137: `,finalEOL:J=!0,replacer:X=null,spaces:Q}={}){let Y=J?D:"",Z=JSON.stringify($,X,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r... L138: `)];for(let[G,q]of U.entries()){if(X+=q,YW.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.code!==void 0)... ... L146: `);return W=Math.max(W,O.length),O});for(let z in q)if(Z[z])Z[z].push(...H[z],...Array(W-H[z].length).fill(""))}let F=Z.map((q,W)=>{if(W<Y-1){let H=xn(q);return q.map((z,O)=>`${z}$... L147: `)}vn.columnar=i_0});var bn=R((yn)=>{Object.defineProperty(yn,"__esModule",{value:!0});yn.TERMINAL_INFO=yn.CI_ENVIRONMENT_VARIABLES_DETECTED=yn.CI_ENVIRONMENT_VARIABLES=void 0;var ... L148: `}cn.enforceLF=Hk0;function zk0($,D=
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/sdk.jsView on unpkg · L133
131`)}function rS0($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function oS0(){return process.env.DEBUG}function tS0($){$.inspectOpts={};let D=Object.keys(dd.inspectOpts)... L132: `).map((D)=>D.trim()).join(" ")};md.O=function($){return this.inspectOpts.colors=this.useColors,p3.inspect($,this.inspectOpts)}});var o3=R((WM$,ZL)=>{if(typeof process>"u"||process... L133: L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:X,destStat:Q}=await oZ.checkPaths($,D,"copy",J);if(await oZ.checkParentPath... L135: L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:X,destStat:Q}=aZ.checkPathsSync($,D,"copy",J);if(aZ.checkParentPathsSync($,... L137: `,finalEOL:J=!0,replacer:X=null,spaces:Q}={}){let Y=J?D:"",Z=JSON.stringify($,X,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r... L138: `)];for(let[G,q]of U.entries()){if(X+=q,YW.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.code!==void 0)... ... L146: `);return W=Math.max(W,O.length),O})
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/sdk.jsView on unpkg · L131
125`)}),D}});var vm=R((Rw$,xm)=>{var I9=a("constants"),XP0=process.cwd,P3=null,QP0=process.env.GRACEFUL_FS_PLATFORM||process.platform;process.cwd=function(){if(!P3)P3=XP0.call(process... L126: GFS4: `),console.error($)};if(!A1[GD]){if(fM=global[GD]||[],bm(A1,fM),A1.close=function($){function D(J,X){return $.call(A1,J,function(Q){if(!Q)hm();if(typeof X==="function")X.appl... L127: `)}}});var OX=s(()=>{Pd()});async function l3($){try{let J=`https://registry.npmjs.org/${encodeURIComponent($.toLowerCase())}`,X=await fetch(J,{headers:{accept:"application/vnd.npm...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/src/sdk.jsView on unpkg · L125
108${L}`}});var Ff=R((Yf)=>{Object.defineProperty(Yf,"__esModule",{value:!0});Yf.WebAuthnUnknownError=Yf.WebAuthnError=void 0;Yf.isWebAuthnError=_B0;Yf.identifyRegistrationError=kB0;Y... L109: `);let M=await K.signMessage(new TextEncoder().encode(z),"utf8");if(!M||!(M instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L110: `)!=-1,X=this._styles,Q=X.length;while(Q--){var Y=d7[X[Q]];if(D=Y.open+D.replace(Y.closeRe,Y.open)+Y.close,J)D=D.replace(_20,function(Z){return Y.close+Z+Y.open})}return D}V$.setTh...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/sdk.jsView on unpkg · L108
4`){if(Y)X+=O_("");let z=Q?H_(Q):void 0;if(Q&&z)X+=z_(z)}else if(H===` L5: `){if(Q&&H_(Q))X+=z_(Q);if(Y)X+=O_(Y)}}return X},lV0;var jN=s(()=>{EN();IN=`${mV0}8;;`,W_=new RegExp(`(?:\\${K_}(?<code>\\d+)m|\\${IN}(?<uri>.*)${AN})`,"y"),lV0=/\r?\n/});var U1=R(... L6: `),Y=0,Z=$;for(let U of Q){if(Z<=U.length)break;Z-=U.length+1,Y++}for(Y=Math.max(0,Math.min(Q.length-1,Y+J)),Z=Math.min(Z,Q[Y].length)+D;Z<0&&Y>0;)Y--,Z+=Q[Y].length+1;for(;Z>Q[Y].... L7: `),X=D.split(` L8: `),Q=Math.max(J.length,X.length),Y=[];for(let Z=0;Z<Q;Z++)J[Z]!==X[Z]&&Y.push(Z);return{lines:Y,numLinesBefore:J.length,numLinesAfter:X.length,numLines:Q}}function G$($){return $==... L9: `).map((F,U,G)=>{let q=Y?Y(F,U):F;return U===0?`${X}${q}`:U===G.length-1?`${Q}${q}`:`${J}${q}`}).join(` ... L14: `).slice(Y);this.output.write(Z.join(` L15: `)),this._prevFrame=$;return}}this.output.write(AD.erase.down())}this.output.write($),this.state==="initial"&&(this.state="active"),this._prevFrame=$}}}function sV0($,D){if($===voi... L16: `?`${D}█ ... L19: `&&(this._setUserInput(this.userInput.slice(0,this.cursor-1)+this.userInput.slice(this.cursor)),this._cursor--),!0):(this.#$(` L20: `),this._cursor++,!1)}constructor($){super(
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/sdk.jsView on unpkg · L4
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 4501191 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
path = dist/index.js kind = oversized_cli_entrypoint sizeBytes = 4501191 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.jsView on unpkg

Findings

6 Critical7 High6 Medium5 Low
CriticalCritical Secretdist/src/sdk.js
CriticalRemote Asset Decode Executedist/src/sdk.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/sdk.js
CriticalSecret Patterndist/src/sdk.js
CriticalSecret Patterndist/src/sdk.js
CriticalSecret Patterndist/src/sdk.js
HighChild Processdist/src/sdk.js
HighEvaldist/src/sdk.js
HighSame File Env Network Executiondist/src/sdk.js
HighCommand Output Exfiltrationdist/src/sdk.js
HighObfuscated Payload Loaderdist/src/sdk.js
HighObfuscated
HighOversized Source Filedist/index.js
MediumDynamic Requiredist/src/sdk.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/src/sdk.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings