registry  /  @miraj181/ipingyou  /  2.1.9

@miraj181/ipingyou@2.1.9

⚠ Under review

SecureLink-CLI — Secure peer-to-peer remote access via SSH & Cloudflare Tunnels

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 247 KB of source, external domains: 127.0.0.1, api.groq.com, api.ipify.org, developers.cloudflare.com, github.com, ipingyou.onrender.com, pkg.cloudflare.com, www.openssh.com

Source & flagged code

4 flagged · loading source
src/modes/ai.jsView file
299patternName = generic_password severity = medium line = 299 matchedText = { type: ...' },
Medium
Secret Pattern

Package contains a possible secret pattern.

src/modes/ai.jsView on unpkg · L299
619patternName = generic_password severity = medium line = 619 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in src/modes/ai.js

src/modes/ai.jsView on unpkg · L619
src/modes/host.jsView file
15L16: import { execa } from 'execa'; L17: import chalk from 'chalk'; ... L34: L35: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L36: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L37: ... L72: try { L73: const { stdout } = await execa('sudo', ['systemsetup', '-getremotelogin'], { reject: false }); L74: if (stdout.toLowerCase().includes('off')) { ... L200: if (!homedir) { L201: throw new Error('Could not resolve the current user home directory for authorized_keys');
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/modes/host.jsView on unpkg · L15
15Trigger-reachable chain: manifest.main -> src/cli.js -> src/modes/host.js L15: L16: import { execa } from 'execa'; L17: import chalk from 'chalk'; ... L34: L35: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L36: let BROKER_URL = process.env.BROKER_URL || 'https://ipingyou.onrender.com'; L37: ... L72: try { L73: const { stdout } = await execa('sudo', ['systemsetup', '-getremotelogin'], { reject: false }); L74: if (stdout.toLowerCase().includes('off')) { ... L200: if (!homedir) { L201: throw new Error('Could not resolve the current user home directory for authorized_keys');
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/modes/host.jsView on unpkg · L15

Findings

2 Critical5 Medium5 Low
CriticalPersistence Backdoorsrc/modes/host.js
CriticalTrigger Reachable Dangerous Capabilitysrc/modes/host.js
MediumSecret Patternsrc/modes/ai.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/modes/ai.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings