registry  /  @miraj181/ipingyou  /  2.1.19

@miraj181/ipingyou@2.1.19

SecureLink-CLI — Secure peer-to-peer remote access via SSH & Cloudflare Tunnels

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked remote-access CLI with powerful but package-aligned SSH, Cloudflare tunnel, broker, and AI helper features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
explicit CLI invocation such as `ipingyou host`, `ipingyou connect`, `ipingyou ai`, or `ipingyou service install`
Impact
Can expose local SSH/HTTP/TCP services and write local config or temporary SSH key material only through explicit user flows.
Mechanism
user-directed remote access, encrypted broker relay, and guarded AI command assistance
Rationale
Static inspection shows high-risk remote-access primitives, but they are aligned with the package description, gated behind explicit CLI actions or prompts, and not activated during npm install/import. No concrete malicious chain, stealth persistence, exfiltration, or foreign AI-agent control mutation was found.
Evidence
package.jsonsrc/cli.jssrc/modes/host.jssrc/modes/client.jssrc/modes/ai.jssrc/lib/broker.jssrc/lib/cleanup.jssrc/lib/config.jssrc/lib/ai/safety.jssrc/lib/ai/groq.jssrc/lib/tunnel.jssrc/lib/ssh.js~/.ssh/authorized_keys~/.ipingyou/config.json~/.ipingyou/allowlist.json~/.ipingyou/logs/session-events.jsonl/tmp/ipingyou_*/tmp/ipingyou_client_*/tmp/ipingyou_ai_*
Network endpoints4
ipingyou.onrender.comapi.ipify.orgapi.groq.com/openai/v1*.trycloudflare.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/modes/host.js can start SSH, inject an ephemeral public key into ~/.ssh/authorized_keys, expose services through cloudflared, and auto-install tmux in explicit host mode.
  • src/cli.js service install explicitly installs/starts PM2 background host service when user runs `ipingyou service install`.
  • src/lib/broker.js sends encrypted client telemetry including username, public IP, OS, CPU, RAM to the selected broker after client connection.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly runs publisher-side help checks.
  • src/cli.js dangerous flows are explicit CLI commands or interactive choices, not import-time or install-time behavior.
  • src/modes/host.js removes the injected authorized_keys entry and temp keys via cleanup hooks, with symlink checks.
  • src/modes/ai.js requires consent, blocks secret paths, prompts before tool execution/file reads, and redacts secrets before Groq calls.
  • src/lib/broker.js stores encrypted blobs and uses package-aligned endpoints under the selected broker.
  • No evidence of credential harvesting, hidden payload download, reviewer prompt injection, or stealth persistence in inspected source.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 258 KB of source, external domains: 127.0.0.1, api.groq.com, api.ipify.org, developers.cloudflare.com, ipingyou.onrender.com

Source & flagged code

6 flagged · loading source
src/modes/ai.jsView file
366patternName = generic_password severity = medium line = 366 matchedText = { type: ...' },
Medium
Secret Pattern

Package contains a possible secret pattern.

src/modes/ai.jsView on unpkg · L366
4L5: import { execa } from 'execa'; L6: import chalk from 'chalk'; ... L21: L22: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L23: ... L25: You can request local tools. You must protect user secrets. L26: Never ask to read private keys, .env files, token stores, ~/.ssh, ~/.ipingyou, or password/config files. L27: Never include secrets in your final answer. Prefer read-only inspection before changes. ... L111: L112: if (result.exitCode !== 0) { L113: try { fs.unlinkSync(keyPath); } catch { }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/modes/ai.jsView on unpkg · L4
693patternName = generic_password severity = medium line = 693 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in src/modes/ai.js

src/modes/ai.jsView on unpkg · L693
src/modes/host.jsView file
15L16: import { execa } from 'execa'; L17: import chalk from 'chalk'; ... L37: L38: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L39: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L40: ... L85: try { L86: const { stdout } = await execa('sudo', ['systemsetup', '-getremotelogin'], { reject: false }); L87: if (stdout.toLowerCase().includes('off')) { ... L213: if (!homedir) { L214: throw new Error('Could not resolve the current user home directory for authorized_keys');
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/modes/host.jsView on unpkg · L15
15Trigger-reachable chain: manifest.main -> src/cli.js -> src/modes/host.js L15: L16: import { execa } from 'execa'; L17: import chalk from 'chalk'; ... L37: L38: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L39: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L40: ... L85: try { L86: const { stdout } = await execa('sudo', ['systemsetup', '-getremotelogin'], { reject: false }); L87: if (stdout.toLowerCase().includes('off')) { ... L213: if (!homedir) { L214: throw new Error('Could not resolve the current user home directory for authorized_keys');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/modes/host.jsView on unpkg · L15
src/modes/client.jsView file
14L15: import { execa } from 'execa'; L16: import chalk from 'chalk'; ... L32: L33: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L34: ... L47: L48: function normalizePrivateKey(privateKey) { L49: const normalized = String(privateKey || '').replace(/\\n/g, '\n').replace(/\r\n/g, '\n'); ... L57: // On Windows, NTFS ignores POSIX mode bits — fix ACLs with icacls L58: if (process.platform === 'win32') { L59: const currentUser = os.userInfo().username;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/modes/client.jsView on unpkg · L14

Findings

2 Critical1 High6 Medium5 Low
CriticalPersistence Backdoorsrc/modes/host.js
CriticalTrigger Reachable Dangerous Capabilitysrc/modes/host.js
HighSandbox Evasion Gated Capabilitysrc/modes/client.js
MediumSecret Patternsrc/modes/ai.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/modes/ai.js
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/modes/ai.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings