registry  /  @keystrokehq/platform  /  0.1.42

@keystrokehq/platform@0.1.42

⚠ Under review

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 212 file(s), 7.54 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, angular.io, api.exa.ai, chat-sdk.dev, cscott.net, datatracker.ietf.org, dom.spec.whatwg.org, example.com, github.com, json-schema.org, landley.net, raw.githubusercontent.com, trac.webkit.org, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

8 flagged · loading source
dist/diff-MWJFIG7X-D7YtJ3Bd.mjsView file
70}; L71: if (callback) (function exec() { L72: setTimeout(function() {
High
Child Process

Package source references child process execution.

dist/diff-MWJFIG7X-D7YtJ3Bd.mjsView on unpkg · L70
dist/chunk-TN7HHBQW-D_SK6w5n.cjsView file
17strategy: "throw", L18: reason: "eval() allows arbitrary code execution" L19: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-TN7HHBQW-D_SK6w5n.cjsView on unpkg · L17
dist/chunk-VPADYNBD-D_b6IjYU.cjsView file
1const require_start = require("./start-D1Dkblgs.cjs"); L2: const require_chunk_BZUGFHVS = require("./chunk-BZUGFHVS-7RRM7Jpb.cjs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-VPADYNBD-D_b6IjYU.cjsView on unpkg · L1
dist/dist-D-LNLT9h.mjsView file
7import { AsyncLocalStorage } from "node:async_hooks"; L8: import { deleteSecretValuesForRef, ensureOAuthApp, getOrganizationScopeId, saveOAuthConnection, selectSecretValue, upsertSecretValue } from "@keystrokehq/platform-database"; L9: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID } from "node:crypto"; L10: import * as z$1 from "zod/v4"; ... L17: import { join } from "node:path"; L18: import { spawnSync } from "node:child_process"; L19: import { tmpdir } from "node:os"; ... L597: * (timestamps embedded in the id). Use {@link cuid2} instead. L598: * See https://github.com/paralleldrive/cuid. L599: */ ... L4868: "previews", L4869: "private",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dist-D-LNLT9h.mjsView on unpkg · L7
dist/dist-YmPukXFH.cjsView file
31let node_async_hooks = require("node:async_hooks"); L32: let _keystrokehq_platform_database = require("@keystrokehq/platform-database"); L33: let node_crypto = require("node:crypto"); ... L45: let node_path = require("node:path"); L46: let node_child_process = require("node:child_process"); L47: let node_os = require("node:os"); ... L601: * (timestamps embedded in the id). Use {@link cuid2} instead. L602: * See https://github.com/paralleldrive/cuid. L603: */ ... L630: const cidrv6 = /^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::|([0-9a-fA-F]{1,4})?::([0-9a-fA-F]{1,4}:?){0,6})\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])$/; L631: const base64 = /^$|^(?:[0-9a-zA-Z+/]{4})*(?:(?:[0-9a-zA-Z+/]{2}==)|(?:[0-9a-zA-Z+/]{3}=))?$/; L632: const base64url = /^[A-Za-z0-9_-]*$/;
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/dist-YmPukXFH.cjsView on unpkg · L31
31let node_async_hooks = require("node:async_hooks"); L32: let _keystrokehq_platform_database = require("@keystrokehq/platform-database"); L33: let node_crypto = require("node:crypto"); ... L45: let node_path = require("node:path"); L46: let node_child_process = require("node:child_process"); L47: let node_os = require("node:os"); ... L601: * (timestamps embedded in the id). Use {@link cuid2} instead. L602: * See https://github.com/paralleldrive/cuid. L603: */ ... L630: const cidrv6 = /^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::|([0-9a-fA-F]{1,4})?::([0-9a-fA-F]{1,4}:?){0,6})\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])$/; L631: const base64 = /^$|^(?:[0-9a-zA-Z+/]{4})*(?:(?:[0-9a-zA-Z+/]{2}==)|(?:[0-9a-zA-Z+/]{3}=))?$/; L632: const base64url = /^[A-Za-z0-9_-]*$/;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/dist-YmPukXFH.cjsView on unpkg · L31
dist/js-exec-N5KEZBH7-B-idDd6z.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @keystrokehq/platform@0.1.39 matchedIdentity = npm:QGtleXN0cm9rZWhxL3BsYXRmb3Jt:0.1.39 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/js-exec-N5KEZBH7-B-idDd6z.mjsView on unpkg
40Cross-file remote execution chain: dist/js-exec-N5KEZBH7-B-idDd6z.mjs spawns dist/chunk-TN7HHBQW-B8PYcKz5.mjs; helper contains network access plus dynamic code execution. L40: Available modules: L41: fs, path, child_process, process, console, L42: os, url, assert, util, events, buffer, stream, ... L55: child_process: L56: execSync(cmd) throws on non-zero exit, returns stdout L57: spawnSync(cmd, args) returns { stdout, stderr, status } ... L61: L62: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L63: EOL, cpus(), endianness() L64: L65: url: URL, URLSearchParams, parse(), format() L66:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-N5KEZBH7-B-idDd6z.mjsView on unpkg · L40

Findings

1 Critical4 High5 Medium9 Low
CriticalPrevious Version Dangerous Deltadist/js-exec-N5KEZBH7-B-idDd6z.mjs
HighChild Processdist/diff-MWJFIG7X-D7YtJ3Bd.mjs
HighShell
HighCloud Metadata Accessdist/dist-YmPukXFH.cjs
HighCross File Remote Execution Contextdist/js-exec-N5KEZBH7-B-idDd6z.mjs
MediumDynamic Requiredist/chunk-VPADYNBD-D_b6IjYU.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/dist-YmPukXFH.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunk-TN7HHBQW-D_SK6w5n.cjs
LowWeak Cryptodist/dist-D-LNLT9h.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License