registry  /  @indigoai-us/hq-cloud  /  6.14.6

@indigoai-us/hq-cloud@6.14.6

HQ by Indigo cloud sync engine — bidirectional S3 sync for mobile access

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 277 file(s), 4.89 MB of source, external domains: api.example.com, cognito-idp.eu-west-1.amazonaws.com, cognito-idp.us-east-1.amazonaws.com, example.com, github.com, hqapi.hq.computer, s3.test, signed.example, sqs.local, sqs.us-east-1.amazonaws.com, vault-api.example.com, vault-api.test, vault.test, vault.test.example.com

Source & flagged code

12 flagged · loading source
dist/vault-client.test.jsView file
593patternName = aws_access_key severity = critical line = 593 matchedText = accessKe...LE",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/vault-client.test.jsView on unpkg · L593
593patternName = aws_access_key severity = critical line = 593 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L593
600patternName = aws_access_key severity = critical line = 600 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L600
611patternName = aws_access_key severity = critical line = 611 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L611
618patternName = aws_access_key severity = critical line = 618 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L618
dist/lib/machine-id.jsView file
23* Resolution order (first hit wins, every miss falls through): L24: * 1. `process.env.HQ_MACHINE_ID` — explicit override for CI / tests. L25: * 2. `<hqRoot>/.hq/machine-id` — source-of-truth on the host. ... L42: * load) so tests overriding `HOME` post-import see the right file. Going L43: * through `os.homedir()` rather than `process.env.HOME` keeps the Windows L44: * USERPROFILE fallback intact. ... L75: const raw = fs.readFileSync(menubarJsonPath(), "utf-8"); L76: const parsed = JSON.parse(raw); L77: if (typeof parsed.machineId === "string" && parsed.machineId.length > 0) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/lib/machine-id.jsView on unpkg · L23
scripts/vault-rescue.shView file
path = scripts/vault-rescue.sh kind = build_helper sizeBytes = 10887 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/vault-rescue.shView on unpkg
dist/cli/rescue-core.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @indigoai-us/hq-cloud@6.14.1 matchedIdentity = npm:QGluZGlnb2FpLXVzL2hxLWNsb3Vk:6.14.1 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/rescue-core.jsView on unpkg
src/vault-client.test.tsView file
786patternName = aws_access_key severity = critical line = 786 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L786
796patternName = aws_access_key severity = critical line = 796 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L796
810patternName = aws_access_key severity = critical line = 810 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L810
820patternName = aws_access_key severity = critical line = 820 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L820

Findings

9 Critical1 High4 Medium6 Low
CriticalCritical Secretdist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patternsrc/vault-client.test.ts
CriticalSecret Patternsrc/vault-client.test.ts
CriticalSecret Patternsrc/vault-client.test.ts
CriticalSecret Patternsrc/vault-client.test.ts
HighPrevious Version Dangerous Deltadist/cli/rescue-core.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/vault-rescue.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/lib/machine-id.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings