registry  /  @code.india/cli  /  0.1.3

@code.india/cli@0.1.3

code.in CLI — sovereign coding for India: keyless OAuth, durable memory, DPDP data-residency, with the code.in engine.

Static Scan Results

scanned 12h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 13 file(s), 6.03 MB of source, external domains: 127.0.0.1, api.openai.com, app.code.ae, code-ae-api.onrender.com, code-in-api.onrender.com, github.com, help.openai.com, json-schema.org, registry.npmjs.org

Source & flagged code

12 flagged · loading source
dist/plugin/auth.jsView file
4import { promises as fs } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { dirname } from "node:path";
High
Child Process

Package source references child process execution.

dist/plugin/auth.jsView on unpkg · L4
76function ps(script, input) { L77: const res = run("powershell", ["-NoProfile", "-NonInteractive", "-Command", script], input); L78: if (!res.ok) throw new Error(`credential vault (dpapi) failed: ${res.stderr.trim() || "nonzero exit"}`);
High
Shell

Package source references shell execution.

dist/plugin/auth.jsView on unpkg · L76
4import { promises as fs } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { dirname } from "node:path"; ... L8: // src/config.ts L9: var API_BASE = process.env["CODE_AE_API_BASE"] ?? "https://code-ae-api.onrender.com/api/v1"; L10: var WEB_BASE = process.env["CODE_AE_WEB_BASE"] ?? "https://app.code.ae";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/plugin/auth.jsView on unpkg · L4
4import { promises as fs } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { dirname } from "node:path"; ... L8: // src/config.ts L9: var API_BASE = process.env["CODE_AE_API_BASE"] ?? "https://code-ae-api.onrender.com/api/v1"; L10: var WEB_BASE = process.env["CODE_AE_WEB_BASE"] ?? "https://app.code.ae"; ... L32: function nativeForPlatform() { L33: if (process.platform === "win32") return "dpapi"; L34: if (process.platform === "darwin") return "keychain"; ... L51: } L52: return { ok: res.status === 0, stdout: res.stdout ?? "", stderr: res.stderr ?? "" }; L53: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/plugin/auth.jsView on unpkg · L4
matchType = normalized_sha256 matchedPackage = @code.india/cli@0.1.2 matchedPath = dist/plugin/auth.js matchedIdentity = npm:QGNvZGUuaW5kaWEvY2xp:0.1.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/plugin/auth.jsView on unpkg
dist/plugin/floor.jsView file
858"use strict"; L859: var punycode = __require("punycode"); L860: var mappingTable = require_mappingTable();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin/floor.jsView on unpkg · L858
dist/index.jsView file
57import { promises as fs } from "node:fs"; L58: import { spawnSync } from "node:child_process"; L59: import { dirname } from "node:path"; ... L1756: function cannotHaveAUsernamePasswordPort(url) { L1757: return url.host === null || url.host === "" || url.cannotBeABaseURL || url.scheme === "file"; L1758: } ... L19830: try { L19831: const pkg = JSON.parse(readFileSync(resolve(dirname3(enginePath), "package.json"), "utf8")); L19832: if (pkg.engineVersion && pkg.engineVersion !== EXPECTED_OPENCODE_VERSION) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L57
matchType = normalized_sha256 matchedPackage = @code.india/cli@0.1.2 matchedPath = dist/index.js matchedIdentity = npm:QGNvZGUuaW5kaWEvY2xp:0.1.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = d09b07ae55c8f795 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @code.india/cli@0.1.2 matchedPath = dist/index.js matchedIdentity = npm:QGNvZGUuaW5kaWEvY2xp:0.1.2 similarity = 1.000 shingleOverlap = 10 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/index.jsView on unpkg
dist/plugin/memory.jsView file
223Cross-file remote execution chain: dist/plugin/memory.js spawns dist/plugin/floor.js; helper contains network access plus dynamic code execution. L223: for (let i = 0; i < segment.length; ++i) { L224: let c = segment.charCodeAt(i); L225: if (c === 45 || // - ... L632: Object.defineProperty(exports, "__esModule", { value: true }); L633: exports.setShims = exports.isFsReadStream = exports.fileFromPath = exports.getDefaultAgent = exports.getMultipartRequestOptions = exports.ReadableStream = exports.File = exports.Bl... L634: exports.auto = false; ... L2162: } L2163: get hostname() { L2164: if (this._url.host === null) { ... L2406: }, L2407: create(constructorArgs, privateData) { L2408: let obj = Object.create(URL2.prototype);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/plugin/memory.jsView on unpkg · L223
matchType = normalized_sha256 matchedPackage = @code.india/cli@0.1.2 matchedPath = dist/plugin/memory.js matchedIdentity = npm:QGNvZGUuaW5kaWEvY2xp:0.1.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/plugin/memory.jsView on unpkg
dist/plugin/memory-tools.jsView file
matchType = normalized_sha256 matchedPackage = @code.india/cli@0.1.2 matchedPath = dist/plugin/memory-tools.js matchedIdentity = npm:QGNvZGUuaW5kaWEvY2xp:0.1.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/plugin/memory-tools.jsView on unpkg

Findings

11 High5 Medium5 Low
HighChild Processdist/plugin/auth.js
HighShelldist/plugin/auth.js
HighSame File Env Network Executiondist/plugin/auth.js
HighSandbox Evasion Gated Capabilitydist/plugin/auth.js
HighRemote Agent Bridgedist/index.js
HighCross File Remote Execution Contextdist/plugin/memory.js
HighKnown Malware Source Similaritydist/index.js
HighKnown Malware Source Similaritydist/plugin/auth.js
HighKnown Malware Source Similaritydist/plugin/memory-tools.js
HighKnown Malware Source Similaritydist/plugin/memory.js
HighKnown Malware Source Fingerprint Signaturedist/index.js
MediumDynamic Requiredist/plugin/floor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License