registry  /  @keystrokehq/platform  /  0.1.60

@keystrokehq/platform@0.1.60

⚠ Under review

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 214 file(s), 7.60 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, angular.io, api.exa.ai, chat-sdk.dev, cscott.net, datatracker.ietf.org, dom.spec.whatwg.org, example.com, github.com, json-schema.org, landley.net, raw.githubusercontent.com, trac.webkit.org, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

8 flagged · loading source
dist/diff-MWJFIG7X-CfpVv0Lf.cjsView file
70}; L71: if (callback) (function exec() { L72: setTimeout(function() {
High
Child Process

Package source references child process execution.

dist/diff-MWJFIG7X-CfpVv0Lf.cjsView on unpkg · L70
dist/chunk-TN7HHBQW-D_SK6w5n.cjsView file
17strategy: "throw", L18: reason: "eval() allows arbitrary code execution" L19: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-TN7HHBQW-D_SK6w5n.cjsView on unpkg · L17
dist/run.cjsView file
1const require_config = require("./config.cjs"); L2: const require_start = require("./start-CtH0k_h4.cjs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/run.cjsView on unpkg · L1
dist/dist-Craixc2h.mjsView file
1import { createRequire } from "node:module"; L2: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID } from "node:crypto"; L3: import { DEFAULT_DATABASE_URL, claimDueTriggers, claimDueTriggersForOrg, claimNextJob, clearCredentialInstanceDefaults, createPostgresCancelChannel, decryptCredentialPayload, disab... ... L6: import { AsyncLocalStorage } from "node:async_hooks"; L7: import { deleteManagedServiceCredential, deleteSecretValuesForRef, ensureOAuthApp, getManagedServiceCredential, getOrganizationScopeId, insertManagedServiceCredential, saveOAuthCon... L8: import * as z$1 from "zod/v4"; ... L15: import { join } from "node:path"; L16: import { spawnSync } from "node:child_process"; L17: import { tmpdir } from "node:os"; ... L441: /** L442: * @private L443: */
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/dist-Craixc2h.mjsView on unpkg · L1
1import { createRequire } from "node:module"; L2: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID } from "node:crypto"; L3: import { DEFAULT_DATABASE_URL, claimDueTriggers, claimDueTriggersForOrg, claimNextJob, clearCredentialInstanceDefaults, createPostgresCancelChannel, decryptCredentialPayload, disab... ... L6: import { AsyncLocalStorage } from "node:async_hooks"; L7: import { deleteManagedServiceCredential, deleteSecretValuesForRef, ensureOAuthApp, getManagedServiceCredential, getOrganizationScopeId, insertManagedServiceCredential, saveOAuthCon... L8: import * as z$1 from "zod/v4"; ... L15: import { join } from "node:path"; L16: import { spawnSync } from "node:child_process"; L17: import { tmpdir } from "node:os"; ... L441: /** L442: * @private L443: */
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/dist-Craixc2h.mjsView on unpkg · L1
1import { createRequire } from "node:module"; L2: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID } from "node:crypto"; L3: import { DEFAULT_DATABASE_URL, claimDueTriggers, claimDueTriggersForOrg, claimNextJob, clearCredentialInstanceDefaults, createPostgresCancelChannel, decryptCredentialPayload, disab... ... L6: import { AsyncLocalStorage } from "node:async_hooks"; L7: import { deleteManagedServiceCredential, deleteSecretValuesForRef, ensureOAuthApp, getManagedServiceCredential, getOrganizationScopeId, insertManagedServiceCredential, saveOAuthCon... L8: import * as z$1 from "zod/v4"; ... L15: import { join } from "node:path"; L16: import { spawnSync } from "node:child_process"; L17: import { tmpdir } from "node:os"; ... L441: /** L442: * @private L443: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dist-Craixc2h.mjsView on unpkg · L1
dist/js-exec-N5KEZBH7-CQVz3Q0A.cjsView file
40Cross-file remote execution chain: dist/js-exec-N5KEZBH7-CQVz3Q0A.cjs spawns dist/chunk-TN7HHBQW-D_SK6w5n.cjs; helper contains network access plus dynamic code execution. L40: Available modules: L41: fs, path, child_process, process, console, L42: os, url, assert, util, events, buffer, stream, ... L55: child_process: L56: execSync(cmd) throws on non-zero exit, returns stdout L57: spawnSync(cmd, args) returns { stdout, stderr, status } ... L61: L62: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L63: EOL, cpus(), endianness() L64: L65: url: URL, URLSearchParams, parse(), format() L66:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-N5KEZBH7-CQVz3Q0A.cjsView on unpkg · L40
dist/dist-B2pUVq21.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @keystrokehq/platform@0.1.46 matchedIdentity = npm:QGtleXN0cm9rZWhxL3BsYXRmb3Jt:0.1.46 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/dist-B2pUVq21.cjsView on unpkg

Findings

1 Critical4 High5 Medium9 Low
CriticalPrevious Version Dangerous Deltadist/dist-B2pUVq21.cjs
HighChild Processdist/diff-MWJFIG7X-CfpVv0Lf.cjs
HighShell
HighCloud Metadata Accessdist/dist-Craixc2h.mjs
HighCross File Remote Execution Contextdist/js-exec-N5KEZBH7-CQVz3Q0A.cjs
MediumDynamic Requiredist/run.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/dist-Craixc2h.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunk-TN7HHBQW-D_SK6w5n.cjs
LowWeak Cryptodist/dist-Craixc2h.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License