registry  /  @capgo/cli  /  8.23.4

@capgo/cli@8.23.4

⚠ Under review

A CLI to upload to capgo servers

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 24 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.16 MB of source, external domains: accounts.google.com, androidpublisher.googleapis.com, api.appstoreconnect.apple.com, api.capgo.app, appstoreconnect.apple.com, capacitorjs.com, capgo.app, cli.github.com, console.capgo.app, developer.android.com, developer.mozilla.org, docs.npmjs.com, eu.i.posthog.com, files.capgo.app, github.com, json-schema.org, mths.be, oauth2.googleapis.com, plugin.capgo.app, rafeca.com, s3.amazonaws.com, schemas.android.com, semver.org, support.google.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/index.js4.24 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsMinifiedUrlStringscapgo.appconsole.capgo.appdeveloper.android.comeu.i.posthog.comgithub.com

Source & flagged code

15 flagged · loading source
dist/src/sdk.jsView file
463patternName = private_key_rsa severity = critical line = 463 matchedText = `||Y==="...thm.
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/sdk.jsView on unpkg · L463
4`){if(Y)J+=Mv("");let z=Q?Kv(Q):void 0;if(Q&&z)J+=Nv(z)}else if(H===` L5: `){if(Q&&Kv(Q))J+=Nv(Q);if(Y)J+=Mv(Y)}}return J},Jz0;var iK=s(()=>{dK();nK=`${$z0}8;;`,Vv=new RegExp(`(?:\\${Lv}(?<code>\\d+)m|\\${nK}(?<uri>.*)${lK})`,"y"),Jz0=/\r?\n/});var Y1=A(... L6: `),Y=0,Z=$;for(let U of Q){if(Z<=U.length)break;Z-=U.length+1,Y++}for(Y=Math.max(0,Math.min(Q.length-1,Y+X)),Z=Math.min(Z,Q[Y].length)+D;Z<0&&Y>0;)Y--,Z+=Q[Y].length+1;for(;Z>Q[Y].... L7: `),J=D.split(` L8: `),Q=Math.max(X.length,J.length),Y=[];for(let Z=0;Z<Q;Z++)X[Z]!==J[Z]&&Y.push(Z);return{lines:Y,numLinesBefore:X.length,numLinesAfter:J.length,numLines:Q}}function Z$($){return $==... L9: `).map((F,U,G)=>{let q=Y?Y(F,U):F;return U===0?`${J}${q}`:U===G.length-1?`${Q}${q}`:`${X}${q}`}).join(` ... L14: `).slice(Y);this.output.write(Z.join(` L15: `)),this._prevFrame=$;return}}this.output.write(ND.erase.down())}this.output.write($),this.state==="initial"&&(this.state="active"),this._prevFrame=$}}}function Wz0($,D){if($===voi... L16: `?`${D}█ ... L19: `&&(this._setUserInput(this.userInput.slice(0,this.cursor-1)+this.userInput.slice(this.cursor)),this._cursor--),!0):(this.#$(` L20: `),this._cursor++,!1)}constructor($){super(
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/src/sdk.jsView on unpkg · L4
131Trigger-reachable chain: manifest.exports -> dist/src/sdk.js L131: `)}function FT0($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function UT0(){return process.env.DEBUG}function GT0($){$.inspectOpts={};let D=Object.keys(im.inspectOpts)... L132: `).map((D)=>D.trim()).join(" ")};nm.O=function($){return this.inspectOpts.colors=this.useColors,Cq.inspect($,this.inspectOpts)}});var Pq=A((Mz$,jw)=>{if(typeof process>"u"||process... L133: L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:J,destStat:Q}=await kZ.checkPaths($,D,"copy",X);if(await kZ.checkParentPath... L135: L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:J,destStat:Q}=fZ.checkPathsSync($,D,"copy",X);if(fZ.checkParentPathsSync($,... L137: `,finalEOL:X=!0,replacer:J=null,spaces:Q}={}){let Y=X?D:"",Z=JSON.stringify($,J,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r... L138: `)];for(let[G,q]of U.entries()){if(J+=q,bq.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.co…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/sdk.jsView on unpkg · L131
463patternName = private_key_rsa severity = critical line = 463 matchedText = `||Y==="...thm.
Critical
Secret Pattern

RSA private key in dist/src/sdk.js

dist/src/sdk.jsView on unpkg · L463
472patternName = private_key_rsa severity = critical line = 472 matchedText = `+" - T...in(`
Critical
Secret Pattern

RSA private key in dist/src/sdk.js

dist/src/sdk.jsView on unpkg · L472
650patternName = private_key_rsa severity = critical line = 650 matchedText = All pack... Y=`
Critical
Secret Pattern

RSA private key in dist/src/sdk.js

dist/src/sdk.jsView on unpkg · L650
273L274: see https://github.com/jprichardson/node-fs-extra/issues/269`);WF.checkPaths($,D,"copy",(Q,Y)=>{if(Q)return J(Q);let{srcStat:Z,destStat:F}=Y;WF.checkParentPaths($,Z,D,"copy",(U)=>{... L275: `)}YD0.check=Bc0;async function Ec0($){var D;if((D=$.app.extConfig.server)===null||D===void 0?void 0:D.url)return null;if(["",".","..","../","./"].includes($.app.webDir))return`"${...
High
Child Process

Package source references child process execution.

dist/src/sdk.jsView on unpkg · L273
311export default config; L312: `}});var OH,f9,JE,RD0,AD0,ID0,jD0,CD0;var QE=s(()=>{OH=M$(ED0(),1),f9=M$(_W(),1),JE=OH.loadConfig,RD0=OH.writeConfig,AD0=f9.findMonorepoRoot,ID0=f9.findNXMonorepoRoot,jD0=f9.isMono... L313: `)}var uD0=($,D)=>{$.name="$ZodError",Object.defineProperty($,"_zod",{value:$._zod,enumerable:!1}),Object.defineProperty($,"issues",{value:D,enumerable:!1}),$.message=JSON.stringif...
High
Eval

Package source references dynamic code evaluation.

dist/src/sdk.jsView on unpkg · L311
133L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:J,destStat:Q}=await kZ.checkPaths($,D,"copy",X);if(await kZ.checkParentPath... L135: L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:J,destStat:Q}=fZ.checkPathsSync($,D,"copy",X);if(fZ.checkParentPathsSync($,... L137: `,finalEOL:X=!0,replacer:J=null,spaces:Q}={}){let Y=X?D:"",Z=JSON.stringify($,J,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r... L138: `)];for(let[G,q]of U.entries()){if(J+=q,bq.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.code!==void 0)... ... L146: `);return W=Math.max(W,O.length),O});for(let z in q)if(Z[z])Z[z].push(...H[z],...Array(W-H[z].length).fill(""))}let F=Z.map((q,W)=>{if(W<Y-1){let H=ul(q);return q.map((z,O)=>`${z}$... L147: `)}fl.columnar=Yx0});var cl=A((gl)=>{Object.defineProperty(gl,"__esModule",{value:!0});gl.TERMINAL_INFO=gl.CI_ENVIRONMENT_VARIABLES_DETECTED=gl.CI_ENVIRONMENT_VARIABLES=void 0;var ... L148: `}pl.enforceLF=Ix0;function jx0($,D=
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/sdk.jsView on unpkg · L133
131`)}function FT0($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function UT0(){return process.env.DEBUG}function GT0($){$.inspectOpts={};let D=Object.keys(im.inspectOpts)... L132: `).map((D)=>D.trim()).join(" ")};nm.O=function($){return this.inspectOpts.colors=this.useColors,Cq.inspect($,this.inspectOpts)}});var Pq=A((Mz$,jw)=>{if(typeof process>"u"||process... L133: L134: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0001");let{srcStat:J,destStat:Q}=await kZ.checkPaths($,D,"copy",X);if(await kZ.checkParentPath... L135: L136: see https://github.com/jprichardson/node-fs-extra/issues/269`,"Warning","fs-extra-WARN0002");let{srcStat:J,destStat:Q}=fZ.checkPathsSync($,D,"copy",X);if(fZ.checkParentPathsSync($,... L137: `,finalEOL:X=!0,replacer:J=null,spaces:Q}={}){let Y=X?D:"",Z=JSON.stringify($,J,Q);if(Z===void 0)throw TypeError(`Converting ${typeof $} value to JSON is not supported`);return Z.r... L138: `)];for(let[G,q]of U.entries()){if(J+=q,bq.has(q)){let{groups:H}=new RegExp("(?:\\[(?<code>\\d+)m|\\]8;;(?<uri>.*)\x07)").exec(U.slice(G).join(""))||{groups:{}};if(H.code!==void 0)... ... L146: `);return W=Math.max(W,O.length),O})
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/sdk.jsView on unpkg · L131
125`)}),D}});var fg=A((SH$,ug)=>{var O9=a("constants"),Kj0=process.cwd,Gq=null,Nj0=process.env.GRACEFUL_FS_PLATFORM||process.platform;process.cwd=function(){if(!Gq)Gq=Kj0.call(process... L126: GFS4: `),console.error($)};if(!L1[QD]){if(Jw=global[QD]||[],cg(L1,Jw),L1.close=function($){function D(X,J){return $.call(L1,X,function(Q){if(!Q)dg();if(typeof J==="function")J.appl... L127: `)}}});var X5=s(()=>{_m()});async function Aq($){try{let X=`https://registry.npmjs.org/${encodeURIComponent($.toLowerCase())}`,J=await fetch(X,{headers:{accept:"application/vnd.npm...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/src/sdk.jsView on unpkg · L125
108${L}`}});var Wf=A((Gf)=>{Object.defineProperty(Gf,"__esModule",{value:!0});Gf.WebAuthnUnknownError=Gf.WebAuthnError=void 0;Gf.isWebAuthnError=iM0;Gf.identifyRegistrationError=pM0;G... L109: `);let w=await K.signMessage(new TextEncoder().encode(z),"utf8");if(!w||!(w instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L110: `)!=-1,J=this._styles,Q=J.length;while(Q--){var Y=xX[J[Q]];if(D=Y.open+D.replace(Y.closeRe,Y.open)+Y.close,X)D=D.replace(iL0,function(Z){return Y.close+Z+Y.open})}return D}H$.setTh...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/sdk.jsView on unpkg · L108
4`){if(Y)J+=Mv("");let z=Q?Kv(Q):void 0;if(Q&&z)J+=Nv(z)}else if(H===` L5: `){if(Q&&Kv(Q))J+=Nv(Q);if(Y)J+=Mv(Y)}}return J},Jz0;var iK=s(()=>{dK();nK=`${$z0}8;;`,Vv=new RegExp(`(?:\\${Lv}(?<code>\\d+)m|\\${nK}(?<uri>.*)${lK})`,"y"),Jz0=/\r?\n/});var Y1=A(... L6: `),Y=0,Z=$;for(let U of Q){if(Z<=U.length)break;Z-=U.length+1,Y++}for(Y=Math.max(0,Math.min(Q.length-1,Y+X)),Z=Math.min(Z,Q[Y].length)+D;Z<0&&Y>0;)Y--,Z+=Q[Y].length+1;for(;Z>Q[Y].... L7: `),J=D.split(` L8: `),Q=Math.max(X.length,J.length),Y=[];for(let Z=0;Z<Q;Z++)X[Z]!==J[Z]&&Y.push(Z);return{lines:Y,numLinesBefore:X.length,numLinesAfter:J.length,numLines:Q}}function Z$($){return $==... L9: `).map((F,U,G)=>{let q=Y?Y(F,U):F;return U===0?`${J}${q}`:U===G.length-1?`${Q}${q}`:`${X}${q}`}).join(` ... L14: `).slice(Y);this.output.write(Z.join(` L15: `)),this._prevFrame=$;return}}this.output.write(ND.erase.down())}this.output.write($),this.state==="initial"&&(this.state="active"),this._prevFrame=$}}}function Wz0($,D){if($===voi... L16: `?`${D}█ ... L19: `&&(this._setUserInput(this.userInput.slice(0,this.cursor-1)+this.userInput.slice(this.cursor)),this._cursor--),!0):(this.#$(` L20: `),this._cursor++,!1)}constructor($){super(
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/sdk.jsView on unpkg · L4
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 4441461 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
path = dist/index.js kind = oversized_cli_entrypoint sizeBytes = 4441461 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.jsView on unpkg

Findings

6 Critical7 High6 Medium5 Low
CriticalCritical Secretdist/src/sdk.js
CriticalRemote Asset Decode Executedist/src/sdk.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/sdk.js
CriticalSecret Patterndist/src/sdk.js
CriticalSecret Patterndist/src/sdk.js
CriticalSecret Patterndist/src/sdk.js
HighChild Processdist/src/sdk.js
HighEvaldist/src/sdk.js
HighSame File Env Network Executiondist/src/sdk.js
HighCommand Output Exfiltrationdist/src/sdk.js
HighObfuscated Payload Loaderdist/src/sdk.js
HighObfuscated
HighOversized Source Filedist/index.js
MediumDynamic Requiredist/src/sdk.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/src/sdk.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings