1#!/usr/bin/env node
L2: var w={live:"https://api.cdp.coinbase.com/platform/v2"};var x={production:"live"};import{readFileSync as Ui}from"node:fs";import{dirname as Fi,join as Wi}from"node:path";import{fil...
L3: if (-not ([System.Management.Automation.PSTypeName]'Win32.Cred').Type) {
...
L19: }
L20: `;function bt(e){let t=bo+e,r=Buffer.from(t,"utf16le").toString("base64");return xo("powershell.exe",["-NoProfile","-NonInteractive","-EncodedCommand",r],{encoding:"utf8",stdio:["p...
L21: $ptr = [IntPtr]::Zero
...
L41: }
L42: [Runtime.InteropServices.Marshal]::FreeHGlobal($blob)`)}delete(t,r){try{bt(`[void][Win32.Cred]::CredDelete('${pe(xt(t,r))}', 1, 0)`)}catch{}}};var vt="cdp-cli",K,lr=!1;function Ue(...
L43: `),lr=!0),K=null}return K}function Q(e){let t=Ue();if(!t)return null;try{return t.get(vt,e)}catch{return null}}function fe(e,t){let r=Ue();if(!r)return!1;try{return r.set(vt,e,t),!...
L44: `,{mode:384})}function ye(e){return Q(`${e}:wallet`)}function Et(e,t){return fe(`${e}:wallet`,t)}function St(e){me(`${e}:wallet`)}function we(e,t){return t||process.env.CDP_ENV||e....
L45: `)),!W(n,r))throw new Error(`no URL for environment "${r}". Set url in config or use a built-in env n
CriticalWallet Drain
Source uses private key material to transfer cryptocurrency funds.
dist/index.jsView on unpkg · L1 50Trigger-reachable chain: manifest.bin -> dist/index.js
L50: `)}
L51: -----END PRIVATE KEY-----`}function At(e){let t;try{t=Buffer.from(e,"base64")}catch{throw new Error("wallet secret is not valid base64")}if(t.length<100||t.length>300)throw new Err...
L52: `);return}let l=Math.max(14,...i.map(c=>c.length));for(let c of i){let u=r.environments[c]??{},d=W(u,c),p=u.key_id?u.key_id.length>40?u.key_id.slice(0,37)+"...":u.key_id:"(no key)"...
...
L65: `||s==="\r"||s===""?(r.setRawMode(!1),r.pause(),r.removeListener("data",o),process.stderr.write(`
L66: `),t(n)):s==="\x7F"||s==="\b"?n=n.slice(0,-1):s===""?process.exit(1):n+=s};r.on("data",o)}):new Promise(t=>{let r=Ge({input:process.stdin});r.once("line",n=>{r.close(),t(n)})})}fu...
L67: Run: cdp env <name> --key-id=... --key-secret=... to configure.`),R(n.join(`
CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L50 48patternName = private_key_rsa
severity = critical
line = 48
matchedText = `}var _o...----
48patternName = private_key_ec
severity = critical
line = 48
matchedText = `}var _o...----
65`||s==="\r"||s===""?(r.setRawMode(!1),r.pause(),r.removeListener("data",o),process.stderr.write(`
L66: `),t(n)):s==="\x7F"||s==="\b"?n=n.slice(0,-1):s===""?process.exit(1):n+=s};r.on("data",o)}):new Promise(t=>{let r=Ge({input:process.stdin});r.once("line",n=>{r.close(),t(n)})})}fu...
L67: Run: cdp env <name> --key-id=... --key-secret=... to configure.`),R(n.join(`
...
L73: ${l.join(`
L74: `)}`)}function as(e,t){return e.FORCE_HYPERLINK==="0"?!1:e.FORCE_HYPERLINK?!0:!t||e.CI?!1:!!(/ghostty|iterm|wezterm|hyper/i.test(e.TERM_PROGRAM||"")||e.WT_SESSION||parseInt(e.VTE_V...
L75: `),i="",l=!1),i+=(i?" ":"")+c}i&&e.write((l?t:" ".repeat(o))+i.trimEnd()+`
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L65 50`)}
L51: -----END PRIVATE KEY-----`}function At(e){let t;try{t=Buffer.from(e,"base64")}catch{throw new Error("wallet secret is not valid base64")}if(t.length<100||t.length>300)throw new Err...
L52: `);return}let l=Math.max(14,...i.map(c=>c.length));for(let c of i){let u=r.environments[c]??{},d=W(u,c),p=u.key_id?u.key_id.length>40?u.key_id.slice(0,37)+"...":u.key_id:"(no key)"...
...
L65: `||s==="\r"||s===""?(r.setRawMode(!1),r.pause(),r.removeListener("data",o),process.stderr.write(`
L66: `),t(n)):s==="\x7F"||s==="\b"?n=n.slice(0,-1):s===""?process.exit(1):n+=s};r.on("data",o)}):new Promise(t=>{let r=Ge({input:process.stdin});r.once("line",n=>{r.close(),t(n)})})}fu...
L67: Run: cdp env <name> --key-id=... --key-secret=... to configure.`),R(n.join(`
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L50