registry  /  @miraj181/ipingyou  /  2.1.18

@miraj181/ipingyou@2.1.18

⚠ Under review

SecureLink-CLI — Secure peer-to-peer remote access via SSH & Cloudflare Tunnels

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 257 KB of source, external domains: 127.0.0.1, api.groq.com, api.ipify.org, developers.cloudflare.com, ipingyou.onrender.com

Source & flagged code

5 flagged · loading source
src/modes/ai.jsView file
366patternName = generic_password severity = medium line = 366 matchedText = { type: ...' },
Medium
Secret Pattern

Package contains a possible secret pattern.

src/modes/ai.jsView on unpkg · L366
4L5: import { execa } from 'execa'; L6: import chalk from 'chalk'; ... L21: L22: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L23: ... L25: You can request local tools. You must protect user secrets. L26: Never ask to read private keys, .env files, token stores, ~/.ssh, ~/.ipingyou, or password/config files. L27: Never include secrets in your final answer. Prefer read-only inspection before changes. ... L111: L112: if (result.exitCode !== 0) { L113: try { fs.unlinkSync(keyPath); } catch { }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/modes/ai.jsView on unpkg · L4
693patternName = generic_password severity = medium line = 693 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in src/modes/ai.js

src/modes/ai.jsView on unpkg · L693
src/modes/host.jsView file
15L16: import { execa } from 'execa'; L17: import chalk from 'chalk'; ... L37: L38: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L39: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L40: ... L85: try { L86: const { stdout } = await execa('sudo', ['systemsetup', '-getremotelogin'], { reject: false }); L87: if (stdout.toLowerCase().includes('off')) { ... L213: if (!homedir) { L214: throw new Error('Could not resolve the current user home directory for authorized_keys');
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/modes/host.jsView on unpkg · L15
15Trigger-reachable chain: manifest.main -> src/cli.js -> src/modes/host.js L15: L16: import { execa } from 'execa'; L17: import chalk from 'chalk'; ... L37: L38: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L39: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L40: ... L85: try { L86: const { stdout } = await execa('sudo', ['systemsetup', '-getremotelogin'], { reject: false }); L87: if (stdout.toLowerCase().includes('off')) { ... L213: if (!homedir) { L214: throw new Error('Could not resolve the current user home directory for authorized_keys');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/modes/host.jsView on unpkg · L15

Findings

2 Critical6 Medium5 Low
CriticalPersistence Backdoorsrc/modes/host.js
CriticalTrigger Reachable Dangerous Capabilitysrc/modes/host.js
MediumSecret Patternsrc/modes/ai.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/modes/ai.js
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/modes/ai.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings