registry  /  @code.india/cli  /  0.1.2

@code.india/cli@0.1.2

code.in CLI — sovereign coding for India: keyless OAuth, durable memory, DPDP data-residency, with the code.in engine.

AI Security Review

scanned 11h ago · by lpm-firewall-ai

The code.in-branded CLI authenticates users against code.ae infrastructure and stores/uses those credentials under code.ae paths. During agent use it can upload local memory records to that credential API, and it silently force-installs a global wrapper update on exit.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `codein login`, then use the CLI/plugins; a cached newer version activates the exit-time updater.
Impact
OAuth credentials and persisted user/project memory can be routed to code.ae infrastructure despite code.in branding; later execution can replace the global CLI without an explicit update command.
Mechanism
misbranded OAuth and memory egress plus detached forced global update
Attack narrative
A package advertised as `@code.india/cli` embeds code.ae configuration and sends its OAuth flow to `app.code.ae` and `code-ae-api.onrender.com`. The resulting bearer token is reused by plugins that synchronize local memory records to the credential API base. Separately, normal CLI use can register an exit handler that detached-runs `npm install -g codein-cli@latest --force` after a cache-based version check, replacing software without invoking the explicit update command.
Rationale
The branding/domain mismatch is implemented in executable auth, configuration, and memory-sync paths, creating a concrete credential and data-routing chain. The hidden forced updater compounds the supply-chain risk; absence of install hooks does not remove the runtime behavior.
Evidence
package.jsoncodein.jsoncdist/index.jsdist/plugin/auth.jsdist/plugin/memory.js~/.code-ae/credentials.json~/.code-ae/update-check.json
Network endpoints3
code-ae-api.onrender.com/api/v1app.code.aeregistry.npmjs.org/@code.india%2Fcli

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/index.js` defaults OAuth login/exchange to `code-ae-api.onrender.com` and `app.code.ae`, not code.in.
  • `codein.jsonc` identifies itself as code.ae and routes auth with `CODEAE_TOKEN`/`CODEAE_GATEWAY_URL`.
  • `dist/plugin/memory.js` posts local memory records with the OAuth bearer token to the credential API base.
  • `dist/index.js` schedules a detached `npm install -g codein-cli@latest --force` on exit after a cached update check.
  • `dist/index.js` uses code.ae credential storage and login messaging throughout the code.in CLI.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • OAuth exchange is reached through an explicit `login` command and uses a loopback callback with state validation.
  • No obfuscated payload, eval, or foreign AI-agent configuration write was found in inspected package files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 13 file(s), 6.03 MB of source, external domains: 127.0.0.1, api.code.in, api.openai.com, app.code.ae, code-ae-api.onrender.com, github.com, help.openai.com, json-schema.org, registry.npmjs.org

Source & flagged code

8 flagged · loading source
dist/plugin/auth.jsView file
4import { promises as fs } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { dirname } from "node:path";
High
Child Process

Package source references child process execution.

dist/plugin/auth.jsView on unpkg · L4
76function ps(script, input) { L77: const res = run("powershell", ["-NoProfile", "-NonInteractive", "-Command", script], input); L78: if (!res.ok) throw new Error(`credential vault (dpapi) failed: ${res.stderr.trim() || "nonzero exit"}`);
High
Shell

Package source references shell execution.

dist/plugin/auth.jsView on unpkg · L76
4import { promises as fs } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { dirname } from "node:path"; ... L8: // src/config.ts L9: var API_BASE = process.env["CODE_AE_API_BASE"] ?? "https://code-ae-api.onrender.com/api/v1"; L10: var WEB_BASE = process.env["CODE_AE_WEB_BASE"] ?? "https://app.code.ae";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/plugin/auth.jsView on unpkg · L4
4import { promises as fs } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { dirname } from "node:path"; ... L8: // src/config.ts L9: var API_BASE = process.env["CODE_AE_API_BASE"] ?? "https://code-ae-api.onrender.com/api/v1"; L10: var WEB_BASE = process.env["CODE_AE_WEB_BASE"] ?? "https://app.code.ae"; ... L32: function nativeForPlatform() { L33: if (process.platform === "win32") return "dpapi"; L34: if (process.platform === "darwin") return "keychain"; ... L51: } L52: return { ok: res.status === 0, stdout: res.stdout ?? "", stderr: res.stderr ?? "" }; L53: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/plugin/auth.jsView on unpkg · L4
dist/plugin/floor.jsView file
858"use strict"; L859: var punycode = __require("punycode"); L860: var mappingTable = require_mappingTable();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin/floor.jsView on unpkg · L858
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @code.india/cli@0.1.1 matchedIdentity = npm:QGNvZGUuaW5kaWEvY2xp:0.1.1 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
57import { promises as fs } from "node:fs"; L58: import { spawnSync } from "node:child_process"; L59: import { dirname } from "node:path"; ... L1756: function cannotHaveAUsernamePasswordPort(url) { L1757: return url.host === null || url.host === "" || url.cannotBeABaseURL || url.scheme === "file"; L1758: } ... L19830: try { L19831: const pkg = JSON.parse(readFileSync(resolve(dirname3(enginePath), "package.json"), "utf8")); L19832: if (pkg.engineVersion && pkg.engineVersion !== EXPECTED_OPENCODE_VERSION) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L57
dist/plugin/memory.jsView file
223Cross-file remote execution chain: dist/plugin/memory.js spawns dist/plugin/floor.js; helper contains network access plus dynamic code execution. L223: for (let i = 0; i < segment.length; ++i) { L224: let c = segment.charCodeAt(i); L225: if (c === 45 || // - ... L632: Object.defineProperty(exports, "__esModule", { value: true }); L633: exports.setShims = exports.isFsReadStream = exports.fileFromPath = exports.getDefaultAgent = exports.getMultipartRequestOptions = exports.ReadableStream = exports.File = exports.Bl... L634: exports.auto = false; ... L2162: } L2163: get hostname() { L2164: if (this._url.host === null) { ... L2406: }, L2407: create(constructorArgs, privateData) { L2408: let obj = Object.create(URL2.prototype);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/plugin/memory.jsView on unpkg · L223

Findings

1 Critical6 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/plugin/auth.js
HighShelldist/plugin/auth.js
HighSame File Env Network Executiondist/plugin/auth.js
HighSandbox Evasion Gated Capabilitydist/plugin/auth.js
HighRemote Agent Bridgedist/index.js
HighCross File Remote Execution Contextdist/plugin/memory.js
MediumDynamic Requiredist/plugin/floor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License