registry  /  @keystrokehq/cli  /  0.1.45

@keystrokehq/cli@0.1.45

⚠ Under review

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 127 file(s), 4.04 MB of source, external domains: 127.0.0.1, angular.io, api.keystroke.ai, cscott.net, datatracker.ietf.org, dom.spec.whatwg.org, empty.invalid, example.com, github.com, json-schema.org, keystroke.ai, landley.net, raw.githubusercontent.com, registry.npmjs.org, trac.webkit.org, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

6 flagged · loading source
dist/dist-COvVTq3V.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @keystrokehq/cli@0.1.24 matchedIdentity = npm:QGtleXN0cm9rZWhxL2NsaQ:0.1.24 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/dist-COvVTq3V.mjsView on unpkg
9374const execResult = result[result.length - 1]; L9375: if (typeof execResult === "undefined") throw new Error("Pipeline cannot be used to send any commands when the `exec()` has been called on it."); L9376: if (execResult[0]) {
High
Child Process

Package source references child process execution.

dist/dist-COvVTq3V.mjsView on unpkg · L9374
35//#region ../../node_modules/.pnpm/just-bash@3.0.1/node_modules/just-bash/dist/bundle/chunks/chunk-G5EVRAOO.js L36: createRequire(import.meta.url); L37: var p;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/dist-COvVTq3V.mjsView on unpkg · L35
333} L334: return process.env.KEYSTROKE_ROOT ?? process.cwd(); L335: } ... L1261: nodeType, L1262: data: { L1263: label, ... L2111: { L2112: name: "base64", L2113: load: async () => (await import("./base64-C2AIWVNC-C0WIgu5V.mjs")).base64Command ... L2230: Object.freeze({ L2231: stdout: "", L2232: stderr: "",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/dist-COvVTq3V.mjsView on unpkg · L333
dist/dist-83uw4_yr.mjsView file
6743if (this.opts.code.process) sourceCode = this.opts.code.process(sourceCode, sch); L6744: const validate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode)(this, this.scope.get()); L6745: this.scope.value(validateName, { ref: validate });
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dist-83uw4_yr.mjsView on unpkg · L6743
dist/js-exec-N5KEZBH7-CgtG-I6s.mjsView file
48Cross-file remote execution chain: dist/js-exec-N5KEZBH7-CgtG-I6s.mjs spawns dist/chunk-TN7HHBQW-CSB_R-XD.mjs; helper contains network access plus dynamic code execution. L48: Available modules: L49: fs, path, child_process, process, console, L50: os, url, assert, util, events, buffer, stream, ... L63: child_process: L64: execSync(cmd) throws on non-zero exit, returns stdout L65: spawnSync(cmd, args) returns { stdout, stderr, status } ... L69: L70: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L71: EOL, cpus(), endianness() L72: L73: url: URL, URLSearchParams, parse(), format() L74:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-N5KEZBH7-CgtG-I6s.mjsView on unpkg · L48

Findings

1 Critical3 High5 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/dist-COvVTq3V.mjs
HighChild Processdist/dist-COvVTq3V.mjs
HighShell
HighCross File Remote Execution Contextdist/js-exec-N5KEZBH7-CgtG-I6s.mjs
MediumDynamic Requiredist/dist-COvVTq3V.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/dist-COvVTq3V.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/dist-83uw4_yr.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License