registry  /  @org-pulse/core  /  2.0.16

@org-pulse/core@2.0.16

⚠ Under review

Org Pulse - a modular engineering dashboard platform connecting Jira, GitHub, and GitLab data with a team roster to surface delivery insights.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 145 file(s), 1.07 MB of source, external domains: api.atlassian.com, api.github.com, api.smartsheet.com, app.slack.com, auth.atlassian.com, docs.google.com, drive.google.com, forms.gle, gitlab.com, id.atlassian.com, jira.example.com, redhat.atlassian.net, redhat.enterprise.slack.com, www.googleapis.com

Source & flagged code

5 flagged · loading source
server/export.jsView file
8L9: const fs = require('fs'); L10: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

server/export.jsView on unpkg · L8
server/dev-server.jsView file
35const { L36: dataDir = path.join(__dirname, '..', 'data'), L37: fixturesDirs = [path.join(__dirname, '..', 'fixtures')], ... L39: platformPaths = [path.join(__dirname, '..', 'platform')], L40: port = process.env.API_PORT || 3001, L41: } = options; ... L114: if (!email || !token) return { valid: false, message: 'JIRA_EMAIL or JIRA_TOKEN not configured' }; L115: const host = process.env.JIRA_HOST || 'https://redhat.atlassian.net'; L116: const auth = Buffer.from(`${email}:${token}`).toString('base64'); L117: const res = await fetch(`${host}/rest/api/2/myself`, { ... L154: const res = await fetch(`${host}/api/v4/user`, { L155: headers: { 'PRIVATE-TOKEN': token, Accept: 'application/json' }
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

server/dev-server.jsView on unpkg · L35
server/must-gather.jsView file
94return { L95: platform: process.platform, L96: arch: process.arch, ... L104: env: { L105: DEMO_MODE: process.env.DEMO_MODE || 'false', L106: JIRA_HOST: process.env.JIRA_HOST || 'https://redhat.atlassian.net', L107: JIRA_EMAIL_SET: !!process.env.JIRA_EMAIL, ... L229: // Deep clone to avoid mutating original L230: const result = JSON.parse(JSON.stringify(bundle)) L231:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

server/must-gather.jsView on unpkg · L94
server/modules/git-sync.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @org-pulse/core@2.0.15 matchedIdentity = npm:QG9yZy1wdWxzZS9jb3Jl:2.0.15 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/modules/git-sync.jsView on unpkg
shared/server/__tests__/github-app-token.test.jsView file
67patternName = private_key_rsa severity = critical line = 67 matchedText = '-----BE...--',
Critical
Secret Pattern

RSA private key in shared/server/__tests__/github-app-token.test.js

shared/server/__tests__/github-app-token.test.jsView on unpkg · L67

Findings

2 Critical2 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltaserver/modules/git-sync.js
CriticalSecret Patternshared/server/__tests__/github-app-token.test.js
HighCredential Exfiltrationserver/dev-server.js
HighSandbox Evasion Gated Capabilityserver/must-gather.js
MediumDynamic Requireserver/export.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License