registry  /  @machine0/cli  /  1.0.101

@machine0/cli@1.0.101

⚠ Under review

Cloud VMs from the CLI.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 3 file(s), 1.14 MB of source, external domains: app.machine0.io, empty.invalid, github.com, google.github.io, json-schema.org, nodejs.org, npms.io, registry.npmjs.org

Source & flagged code

7 flagged · loading source
dist/cli.bundle.cjsView file
1#!/usr/bin/env node L2: var gr=Object.create;var{getPrototypeOf:yr,defineProperty:Qq,getOwnPropertyNames:hr}=Object;var mr=Object.prototype.hasOwnProperty;var SD=(D,F,$)=>{$=D!=null?gr(yr(D)):{};let B=F||... L3: `)}displayWidth(D){return iP(D).length}styleTitle(D){return D}styleUsage(D){return D.split(" ").map((F)=>{if(F==="[options]")return this.styleOptionText(F);if(F==="[command]")retur... ... L13: (Did you mean one of ${B.join(", ")}?)`;if(B.length===1)return` L14: (Did you mean ${B[0]}?)`;return""}tP.suggestSimilar=Qa});var $w=JD((Cq)=>{var Ga=require("node:events").EventEmitter,Lq=require("node:child_process"),wF=require("node:path"),qG=req... L15: - specify the name in Command constructor or using .name()`);if(F=F||{},F.isDefault)this._defaultCommandName=D._name;if(F.noHelp||F.hidden)D._hidden=!0;return this._registerCommand... ... L28: `);let B;while((B=Ra.exec($))!=null){let U=B[1],J=B[2]||"";J=J.trim();let X=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),X==='"')J=J.replace(/\\n/g,` L29: `),J=J.replace(/\\r/g,"\r");F[U]=J}return F}function Pa(D){D=D||{};let F=Lw(D);D.path=F;let $=d6.configDotenv(D);if(!$.parsed){let X=Error(`MISSING_DATA: Cannot parse ${F} for an
Critical
Global Object Hijack Exfiltration

Source reassigns a global/builtin to a Proxy that forwards intercepted runtime data to an external endpoint.

dist/cli.bundle.cjsView on unpkg · L1
20Trigger-reachable chain: manifest.bin -> bin/entry.cjs -> dist/cli.bundle.cjs L20: - if the default executable name is not suitable, use the executableFile option to supply a custom name or path L21: - ${B}`;throw Error(U)}_executeSubCommand(D,F){F=F.slice();let $=!1,B=[".js",".ts",".tsx",".mjs",".cjs"];function U(Z,H){let E=wF.resolve(Z,H);if(qG.existsSync(E))return E;if(B.inc... L22: `,this._outputConfiguration.writeErr),typeof this._showHelpAfterError==="string")this._outputConfiguration.writeErr(`${this._showHelpAfterError} ... L24: `),this.outputHelp({error:!0});let $=F||{},B=$.exitCode||1,U=$.code||"commander.error";this._exit(B,U,D)}_parseOptionsEnv(){this.options.forEach((D)=>{if(D.envVar&&D.envVar in b0.e... L25: `),this._exit(0,"commander.version",D)}),this}description(D,F){if(D===void 0&&F===void 0)return this._description;if(this._description=D,F)this._argsDescription=F;return this}summa... L26: Expecting one of '${$.join("', '")}'`);let B=`${D}Help`;return this.on(B,(U)=>{let J;if(typeof F==="function")J=F({error:U.error,command:U.command});else J=F;if(J)U.write(`${J} ... L34: `)}get width(){return this.toString().split(` L35: `)[0].length}}qN.reset=()=>bF.reset();fun…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.bundle.cjsView on unpkg · L20
13(Did you mean one of ${B.join(", ")}?)`;if(B.length===1)return` L14: (Did you mean ${B[0]}?)`;return""}tP.suggestSimilar=Qa});var $w=JD((Cq)=>{var Ga=require("node:events").EventEmitter,Lq=require("node:child_process"),wF=require("node:path"),qG=req... L15: - specify the name in Command constructor or using .name()`);if(F=F||{},F.isDefault)this._defaultCommandName=D._name;if(F.noHelp||F.hidden)D._hidden=!0;return this._registerCommand...
High
Child Process

Package source references child process execution.

dist/cli.bundle.cjsView on unpkg · L13
20- if the default executable name is not suitable, use the executableFile option to supply a custom name or path L21: - ${B}`;throw Error(U)}_executeSubCommand(D,F){F=F.slice();let $=!1,B=[".js",".ts",".tsx",".mjs",".cjs"];function U(Z,H){let E=wF.resolve(Z,H);if(qG.existsSync(E))return E;if(B.inc... L22: `,this._outputConfiguration.writeErr),typeof this._showHelpAfterError==="string")this._outputConfiguration.writeErr(`${this._showHelpAfterError} ... L28: `);let B;while((B=Ra.exec($))!=null){let U=B[1],J=B[2]||"";J=J.trim();let X=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),X==='"')J=J.replace(/\\n/g,` L29: `),J=J.replace(/\\r/g,"\r");F[U]=J}return F}function Pa(D){D=D||{};let F=Lw(D);D.path=F;let $=d6.configDotenv(D);if(!$.parsed){let X=Error(`MISSING_DATA: Cannot parse ${F} for an u... L30: `).reduce(function(U,J){return cj(J)>U?cj(J):U},0)}function CX(D,F){return Array(F+1).join(D)}function W0D(D,F,$,B){let U=l1(D);if(F+1>=U){let J=F-U;switch(B){case"right":{D=CX($,J... ... L34: `)}get width(){return this.toString().split(` L35: `)[0].length}}qN.reset=()=>bF.reset();function KN(D,F,$){let B=[];D.forEach(function(J){B.push(J.draw(F))});let U=B.join("");if(U.length)$.pu
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.bundle.cjsView on unpkg · L20
20- if the default executable name is not suitable, use the executableFile option to supply a custom name or path L21: - ${B}`;throw Error(U)}_executeSubCommand(D,F){F=F.slice();let $=!1,B=[".js",".ts",".tsx",".mjs",".cjs"];function U(Z,H){let E=wF.resolve(Z,H);if(qG.existsSync(E))return E;if(B.inc... L22: `,this._outputConfiguration.writeErr),typeof this._showHelpAfterError==="string")this._outputConfiguration.writeErr(`${this._showHelpAfterError} ... L24: `),this.outputHelp({error:!0});let $=F||{},B=$.exitCode||1,U=$.code||"commander.error";this._exit(B,U,D)}_parseOptionsEnv(){this.options.forEach((D)=>{if(D.envVar&&D.envVar in b0.e... L25: `),this._exit(0,"commander.version",D)}),this}description(D,F){if(D===void 0&&F===void 0)return this._description;if(this._description=D,F)this._argsDescription=F;return this}summa... L26: Expecting one of '${$.join("', '")}'`);let B=`${D}Help`;return this.on(B,(U)=>{let J;if(typeof F==="function")J=F({error:U.error,command:U.command});else J=F;if(J)U.write(`${J} ... L34: `)}get width(){return this.toString().split(` L35: `)[0].length}}qN.reset=()=>bF.reset();function KN(D,F,$){let B=[];D.forEach(function(J){B.push(J.draw(F))});let U=B.join
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.bundle.cjsView on unpkg · L20
290`))F.push(CJ+q.trim());F.push("")}return F.push(""),F.join(` L291: `)}var m9=(D)=>{return m6(D.toLocaleUpperCase())},WG=(D)=>{let F=D.registeredArguments.map((J)=>J.required?wq(J.name()):_q(J.name())).filter((J)=>J!=="").join(" "),$=RJ([RJ([D.pare... L292: `)}var k5=(D)=>(F,$,B,U)=>{let J=B?Object.assign(B,{async:!1}):{async:!1},X=F._zod.run({value:$,issues:[]},J);if(X instanceof Promise)throw new k1;if(X.issues.length){let Y=new(U?....
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.bundle.cjsView on unpkg · L290
bin/entry.cjsView file
15MIN_NODE_MINOR, L16: } = require("./check-node-version.cjs"); L17:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/entry.cjsView on unpkg · L15

Findings

2 Critical3 High5 Medium8 Low
CriticalGlobal Object Hijack Exfiltrationdist/cli.bundle.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/cli.bundle.cjs
HighChild Processdist/cli.bundle.cjs
HighSame File Env Network Executiondist/cli.bundle.cjs
HighCommand Output Exfiltrationdist/cli.bundle.cjs
MediumDynamic Requirebin/entry.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.bundle.cjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License