registry  /  @machine0/cli  /  1.0.93

@machine0/cli@1.0.93

⚠ Under review

Cloud VMs from the CLI.

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 1.12 MB of source, external domains: app.machine0.io, empty.invalid, github.com, google.github.io, json-schema.org, npms.io, registry.npmjs.org

Source & flagged code

8 flagged · loading source
dist/cli.jsView file
1#!/usr/bin/env node L2: import{createRequire as Mr}from"node:module";var qr=Object.create;var{getPrototypeOf:Wr,defineProperty:SK,getOwnPropertyNames:Vr}=Object;var Ir=Object.prototype.hasOwnProperty;var ... L3: `)}displayWidth(D){return GP(D).length}styleTitle(D){return D}styleUsage(D){return D.split(" ").map((F)=>{if(F==="[options]")return this.styleOptionText(F);if(F==="[command]")retur... ... L13: (Did you mean one of ${B.join(", ")}?)`;if(B.length===1)return` L14: (Did you mean ${B[0]}?)`;return""}Do.suggestSimilar=er});var VP=YD((Qo)=>{var $o=a("node:events").EventEmitter,gK=a("node:child_process"),TF=a("node:path"),iQ=a("node:fs"),v0=a("no... L15: - specify the name in Command constructor or using .name()`);if(F=F||{},F.isDefault)this._defaultCommandName=D._name;if(F.noHelp||F.hidden)D._hidden=!0;return this._registerCommand... ... L28: `);let B;while((B=xo.exec($))!=null){let U=B[1],J=B[2]||"";J=J.trim();let X=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),X==='"')J=J.replace(/\\n/g,` L29: `),J=J.replace(/\\r/g,"\r");F[U]=J}return F}function ko(D){D=D||{};let F=kP(D);D.path=F;let $=b6.configDotenv(D);if(!$.parsed){let X=Error(`MISSING_DATA: Cannot parse ${F} for an
Critical
Global Object Hijack Exfiltration

Source reassigns a global/builtin to a Proxy that forwards intercepted runtime data to an external endpoint.

dist/cli.jsView on unpkg · L1
20Trigger-reachable chain: manifest.bin -> dist/cli.js L20: - if the default executable name is not suitable, use the executableFile option to supply a custom name or path L21: - ${B}`;throw Error(U)}_executeSubCommand(D,F){F=F.slice();let $=!1,B=[".js",".ts",".tsx",".mjs",".cjs"];function U(Z,H){let E=TF.resolve(Z,H);if(iQ.existsSync(E))return E;if(B.inc... L22: `,this._outputConfiguration.writeErr),typeof this._showHelpAfterError==="string")this._outputConfiguration.writeErr(`${this._showHelpAfterError} ... L24: `),this.outputHelp({error:!0});let $=F||{},B=$.exitCode||1,U=$.code||"commander.error";this._exit(B,U,D)}_parseOptionsEnv(){this.options.forEach((D)=>{if(D.envVar&&D.envVar in v0.e... L25: `),this._exit(0,"commander.version",D)}),this}description(D,F){if(D===void 0&&F===void 0)return this._description;if(this._description=D,F)this._argsDescription=F;return this}summa... L26: Expecting one of '${$.join("', '")}'`);let B=`${D}Help`;return this.on(B,(U)=>{let J;if(typeof F==="function")J=F({error:U.error,command:U.command});else J=F;if(J)U.write(`${J} ... L34: `)}get width(){return this.toString().split(` L35: `)[0].length}}jN.reset=()=>uF.reset();function SN(D,F,$){let B=[];…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L20
13(Did you mean one of ${B.join(", ")}?)`;if(B.length===1)return` L14: (Did you mean ${B[0]}?)`;return""}Do.suggestSimilar=er});var VP=YD((Qo)=>{var $o=a("node:events").EventEmitter,gK=a("node:child_process"),TF=a("node:path"),iQ=a("node:fs"),v0=a("no... L15: - specify the name in Command constructor or using .name()`);if(F=F||{},F.isDefault)this._defaultCommandName=D._name;if(F.noHelp||F.hidden)D._hidden=!0;return this._registerCommand...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L13
20- if the default executable name is not suitable, use the executableFile option to supply a custom name or path L21: - ${B}`;throw Error(U)}_executeSubCommand(D,F){F=F.slice();let $=!1,B=[".js",".ts",".tsx",".mjs",".cjs"];function U(Z,H){let E=TF.resolve(Z,H);if(iQ.existsSync(E))return E;if(B.inc... L22: `,this._outputConfiguration.writeErr),typeof this._showHelpAfterError==="string")this._outputConfiguration.writeErr(`${this._showHelpAfterError} ... L28: `);let B;while((B=xo.exec($))!=null){let U=B[1],J=B[2]||"";J=J.trim();let X=J[0];if(J=J.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),X==='"')J=J.replace(/\\n/g,` L29: `),J=J.replace(/\\r/g,"\r");F[U]=J}return F}function ko(D){D=D||{};let F=kP(D);D.path=F;let $=b6.configDotenv(D);if(!$.parsed){let X=Error(`MISSING_DATA: Cannot parse ${F} for an u... L30: `).reduce(function(U,J){return XS(J)>U?XS(J):U},0)}function JX(D,F){return Array(F+1).join(D)}function yDD(D,F,$,B){let U=d1(D);if(F+1>=U){let J=F-U;switch(B){case"right":{D=JX($,J... ... L34: `)}get width(){return this.toString().split(` L35: `)[0].length}}jN.reset=()=>uF.reset();function SN(D,F,$){let B=[];D.forEach(function(J){B.push(J.draw(F))});let U=B.join("");if(U.length)$.pu
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L20
20- if the default executable name is not suitable, use the executableFile option to supply a custom name or path L21: - ${B}`;throw Error(U)}_executeSubCommand(D,F){F=F.slice();let $=!1,B=[".js",".ts",".tsx",".mjs",".cjs"];function U(Z,H){let E=TF.resolve(Z,H);if(iQ.existsSync(E))return E;if(B.inc... L22: `,this._outputConfiguration.writeErr),typeof this._showHelpAfterError==="string")this._outputConfiguration.writeErr(`${this._showHelpAfterError} ... L24: `),this.outputHelp({error:!0});let $=F||{},B=$.exitCode||1,U=$.code||"commander.error";this._exit(B,U,D)}_parseOptionsEnv(){this.options.forEach((D)=>{if(D.envVar&&D.envVar in v0.e... L25: `),this._exit(0,"commander.version",D)}),this}description(D,F){if(D===void 0&&F===void 0)return this._description;if(this._description=D,F)this._argsDescription=F;return this}summa... L26: Expecting one of '${$.join("', '")}'`);let B=`${D}Help`;return this.on(B,(U)=>{let J;if(typeof F==="function")J=F({error:U.error,command:U.command});else J=F;if(J)U.write(`${J} ... L34: `)}get width(){return this.toString().split(` L35: `)[0].length}}jN.reset=()=>uF.reset();function SN(D,F,$){let B=[];D.forEach(function(J){B.push(J.draw(F))});let U=B.join
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L20
84`,CHAR_NO_BREAK_SPACE:" ",CHAR_PERCENT:"%",CHAR_PLUS:"+",CHAR_QUESTION_MARK:"?",CHAR_RIGHT_ANGLE_BRACKET:">",CHAR_RIGHT_CURLY_BRACE:"}",CHAR_RIGHT_SQUARE_BRACKET:"]",CHAR_SEMICOLON... L85: GFS4: `),console.error(L)};if(!$[Y]){if(q=global[Y]||[],H($,q),$.close=function(L){function C(_,R){return L.call($,_,function(x){if(!x)A();if(typeof R==="function")R.apply(this,arg... L86:
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.jsView on unpkg · L84
31`);let U=$?iDD:rDD;for(let J=0;J<F.length;J++)B.push.apply(B,U(D,F[J]));return B}function aDD(D){let F={},$=[];for(let B=0;B<D.length;B++){let U=mDD(F,D[B]);F=hDD(U);let J=Object.a... L32: `)!=-1,B=this._styles,U=B.length;while(U--){var J=i$[B[U]];if(F=J.open+F.replace(J.closeRe,J.open)+J.close,$)F=F.replace($0D,function(X){return J.close+X+J.open})}return F}O0.setTh... L33: `))}wrapLines(D){let F=z8.colorizeLines(D);if(this.href)return F.map(($)=>z8.hyperlink(this.href,$));return F}init(D){let F=this.x,$=this.y;this.widths=D.colWidths.slice(F,F+this.c...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L31
290`))F.push(XJ+q.trim());F.push("")}return F.push(""),F.join(` L291: `)}var x$=(D)=>{return m2(D.toLocaleUpperCase())},oQ=(D)=>{let F=D.registeredArguments.map((J)=>J.required?pK(J.name()):nK(J.name())).filter((J)=>J!=="").join(" "),$=YJ([YJ([D.pare... L292: `)}var O5=(D)=>(F,$,B,U)=>{let J=B?Object.assign(B,{async:!1}):{async:!1},X=F._zod.run({value:$,issues:[]},J);if(X instanceof Promise)throw new x1;if(X.issues.length){let Y=new(U?....
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L290

Findings

2 Critical4 High5 Medium8 Low
CriticalGlobal Object Hijack Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated Payload Loaderdist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License