registry  /  @infisical/cli  /  0.43.109

@infisical/cli@0.43.109

<h1 align="center">Infisical CLI</h1> <p align="center"> <p align="center"><b>Embrace shift-left security with the Infisical CLI and strengthen your DevSecOps practices by seamlessly managing secrets across your workflows, pipelines, and applications.</

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Installation fetches an executable archive from GitHub Releases, extracts an `infisical` binary, and makes it executable. The remote binary is not present in the package and is not integrity-verified by this installer.

Static reason
One or more suspicious static signals were detected.
Trigger
npm preinstall
Impact
A compromised or substituted release artifact could supply code later run through the CLI binary.
Mechanism
remote binary download and extraction
Rationale
This is not confirmed malicious: its endpoint and documented purpose align with the package. However, the install-time unverified remote executable fetch is a concrete supply-chain risk that warrants a warning.
Evidence
package.jsonsrc/index.cjsinfisical-cli-0.43.109.tgzREADME.mdbin/infisicalbin/infisical.exe
Network endpoints1
github.com/Infisical/cli/releases/download/v0.43.109/cli_0.43.109_{platform}_{arch}.{tar.gz|zip}

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `node src/index.cjs` as `preinstall`.
  • `src/index.cjs` downloads a platform binary during install and writes it under `bin/`.
  • The downloaded tar/zip has no checksum or signature verification before extraction and chmod.
Evidence against
  • Only endpoint is package-aligned GitHub Releases for the same version.
  • Source has no credential/env harvesting, exfiltration, eval, persistence, or AI-agent control writes.
  • Bundled `infisical-cli-0.43.109.tgz` contains the same `src/index.cjs` source (matching SHA-256).
  • `execSync("uname -m")` is limited to ARM architecture detection.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 5.26 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.preinstall = node src/index.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
infisical-cli-0.43.109.tgzView file
path = infisical-cli-0.43.109.tgz kind = compressed_blob sizeBytes = 3364 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

infisical-cli-0.43.109.tgzView on unpkg
path = infisical-cli-0.43.109.tgz kind = nested_archive_needs_inspection sizeBytes = 3364 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

infisical-cli-0.43.109.tgzView on unpkg

Findings

1 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumShips Compressed Blobinfisical-cli-0.43.109.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNested Archive Needs Inspectioninfisical-cli-0.43.109.tgz
LowNo License