registry  /  @infisical/cli  /  0.43.104

@infisical/cli@0.43.104

<h1 align="center">Infisical CLI</h1> <p align="center"> <p align="center"><b>Embrace shift-left security with the Infisical CLI and strengthen your DevSecOps practices by seamlessly managing secrets across your workflows, pipelines, and applications.</

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package uses an install hook to download and install its own CLI binary from the Infisical GitHub release path.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install / preinstall lifecycle
Impact
Installs the Infisical CLI executable into bin; no source evidence of credential theft, exfiltration, persistence, or foreign control-surface mutation.
Mechanism
package-aligned binary downloader and extractor
Rationale
The install-time network and binary-write behavior is real, but it is a normal package-aligned CLI installer path and is constrained to Infisical release assets and bin outputs. Static inspection found no concrete malicious chain or unconsented mutation of a foreign AI-agent control surface.
Evidence
package.jsonsrc/index.cjsREADME.mdinfisical-cli-0.43.104.tgzbin/infisicalbin/infisical.exe
Network endpoints1
github.com/Infisical/cli/releases/download/v0.43.104/cli_0.43.104_${PLATFORM}_${ARCH}.${EXTENSION}

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node src/index.cjs
  • src/index.cjs fetches a platform/arch Infisical release binary from GitHub during install
  • src/index.cjs writes extracted executable files under bin/ and chmods bin/infisical
Evidence against
  • Download URL is package-aligned: github.com/Infisical/cli release for package version 0.43.104
  • Archive extraction filters to infisical/infisical.exe only
  • No credential/env harvesting, broad filesystem scanning, persistence, destructive behavior, or exfiltration found
  • Only child_process use is uname -m for ARM architecture detection
  • Package tarball contains only package.json, README.md, .eslintrc.json, and src/index.cjs
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 5.26 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.preinstall = node src/index.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
infisical-cli-0.43.104.tgzView file
path = infisical-cli-0.43.104.tgz kind = compressed_blob sizeBytes = 3363 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

infisical-cli-0.43.104.tgzView on unpkg
path = infisical-cli-0.43.104.tgz kind = nested_archive_needs_inspection sizeBytes = 3363 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

infisical-cli-0.43.104.tgzView on unpkg

Findings

1 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumShips Compressed Blobinfisical-cli-0.43.104.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNested Archive Needs Inspectioninfisical-cli-0.43.104.tgz
LowNo License