registry  /  @qaecy/cue-cli  /  0.0.51

@qaecy/cue-cli@0.0.51

Cue CLI for QAECY platform

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.26 MB of source, external domains: 10.0.3.120, 4dx.embl.de, a9.com, abs.270a.info, academic-meta-tool.xyz, accessors-api-gateway-ueyeemwf2a-oa.a.run.app, activitypods.org, advene.org, aers.data2semantics.org, agrinepaldata.com, aims.fao.org, akonadi-project.org, aksw.org, aleth.io, animaldiversity.org, annotation.semanticweb.org, api.bloomberg.com, api.frankfurter.dev, api.hyprdia.com, api.ohdsi.org, app.korfin.de, archaeology.link, archdesc.info, archivo.dbpedia.org, art.uniroma2.it, assemblee-virtuelle.github.io, atomowl.org, auto.schema.org, automotive.eurecom.fr, awesemantic-geo.link, awslabs.github.io, babelnet.org, bag.basisregistraties.overheid.nl, bag2.basisregistraties.overheid.nl, bblfish.net, beer.com, betalinkeddata.cbs.nl, bg.dbpedia.org, bgt.basisregistraties.overheid.nl, bibliograph.net, biglinkeddata.com, bihap.kb.gov.tr, bing.com, bio2rdf.org, bioentity.io, biohackathon.org, bioinformatics.ua.pt, bioportal.bioontology.org, bioschemas.org, bis.270a.info

Source & flagged code

9 flagged · loading source
main.jsView file
11143patternName = google_api_key severity = high line = 11143 matchedText = apiKey: ...Lk",
High
High Secret

Package contains a high-severity secret pattern.

main.jsView on unpkg · L11143
10755module2.exports = (string4, columns, options2) => { L10756: return String(string4).normalize().replace(/\r\n/g, "\n").split("\n").map((line) => exec(line, columns, options2)).join("\n"); L10757: };
High
Child Process

Package source references child process execution.

main.jsView on unpkg · L10755
11107module2.exports = (string4, columns, options2) => { L11108: return String(string4).normalize().replace(/\r\n/g, "\n").split("\n").map((line) => exec(line, columns, options2)).join("\n"); L11109: }; ... L11119: var import_path = require("path"); L11120: var EMULATOR_API_GATEWAY_PORT = process.env.CUE_EMULATOR_API_GATEWAY_PORT ?? "18093"; L11121: var EMULATOR_API_GATEWAY_BASE = `http://localhost:${EMULATOR_API_GATEWAY_PORT}`; L11122: var TOKEN_ENDPOINT_EMULATOR = `${EMULATOR_API_GATEWAY_BASE}/token`;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

main.jsView on unpkg · L11107
matchType = previous_version_dangerous_delta matchedPackage = @qaecy/cue-cli@0.0.50 matchedIdentity = npm:QHFhZWN5L2N1ZS1jbGk:0.0.50 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

main.jsView on unpkg
11143patternName = google_api_key severity = high line = 11143 matchedText = apiKey: ...Lk",
High
Secret Pattern

Google API key in main.js

main.jsView on unpkg · L11143
15851patternName = google_api_key severity = high line = 15851 matchedText = apiKey: ...l0",
High
Secret Pattern

Google API key in main.js

main.jsView on unpkg · L15851
3296sourceCode = this.opts.code.process(sourceCode, sch); L3297: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L3298: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

main.jsView on unpkg · L3296
hash-worker.jsView file
1// apps/desktop/cue-cli/src/hash-worker.js L2: var { parentPort } = require("worker_threads"); L3: var { createReadStream } = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

hash-worker.jsView on unpkg · L1
assets/wasm/dir_scanner_wasm_bg.wasmView file
path = assets/wasm/dir_scanner_wasm_bg.wasm kind = wasm_module sizeBytes = 380698 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

assets/wasm/dir_scanner_wasm_bg.wasmView on unpkg

Findings

6 High5 Medium5 Low
HighHigh Secretmain.js
HighChild Processmain.js
HighSame File Env Network Executionmain.js
HighPrevious Version Dangerous Deltamain.js
HighSecret Patternmain.js
HighSecret Patternmain.js
MediumDynamic Requirehash-worker.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleassets/wasm/dir_scanner_wasm_bg.wasm
MediumStructural Risk Force Deep Review
LowEvalmain.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License