registry  /  @radhya/mach  /  2.0.36

@radhya/mach@2.0.36

⚠ Under review

Mach CLI: Cloud Build Orchestrator for React Native & Expo

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 424 KB of source, external domains: 127.0.0.1, 169.254.169.254, api.appstoreconnect.apple.com, app.example.com, appstoreconnect.apple.com, deb.nodesource.com, developer.android.com, developer.apple.com, dl.google.com, example.com, getmach.dev, github.com, mach-api.securejs.in, www.apple.com, www.sitemaps.org

Source & flagged code

10 flagged · loading source
dist/index.jsView file
1427patternName = private_key_rsa severity = critical line = 1427 matchedText = `):n||e....----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L1427
17`)} L18: </urlset>`}import{randomUUID as hp}from"crypto";import Ee from"path";import ai from"axios";import yp from"os";import{spinner as Tr,select as Ks,confirm as zs,isCancel as li,cancel ... L19: # --- Mach Cloud Build Script (Android) --- ... L32: export CI=true L33: export npm[redacted]=false L34: export npm[redacted]=true
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L17
623Trigger-reachable chain: manifest.main -> dist/index.js L623: `),Nt.info(xt.dim("React Native Podfile fingerprint changed - clearing Pods for clean install...")),ut.rmSync(g,{recursive:!0,force:!0})):_&&Tc(y,h)&&(await s(`[CACHE] React Native... L624: `),Nt.info(xt.dim("React Native Pods manifest is out of sync - clearing Pods for clean install...")),ut.rmSync(g,{recursive:!0,force:!0}));let T="/opt/homebrew/bin/pod",w=ut.exists... L625: `):"",f;if(r){let I=Bo.isAbsolute(r)?r:Bo.resolve(process.cwd(),r);Fo.existsSync(I)?(f=Fo.readFileSync(I,"utf-8"),qn.info(Uo.magenta(`\u2713 Loaded preBuild hook: ${r}`))):qn.warn(... ... L631: {{ENV_VARS}} L632: `).replace("{{FRAMEWORK_ANDROID_VERSION_CODE}}",s.androidRemoteVersionCodeScript().trim()).replace("{{FRAMEWORK_ANDROID_PREBUILD}}",s.androidRemotePrebuildScript().trim()).replace(... L633: # --- Mach Cloud Build Script (iOS) ---
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L623
1427patternName = private_key_rsa severity = critical line = 1427 matchedText = `):n||e....----
Critical
Secret Pattern

RSA private key in dist/index.js

dist/index.jsView on unpkg · L1427
1#!/usr/bin/env node L2: import{a as zt,b as He,c as $o,d as Tt,e as ve,f as xe,g as vo,h as Ro,i as Wt,j as Po,l as mn}from"./chunk-ZPETQEMG.js";import{a as m,b as wo,c as Ne,d as _o,e as Kt,f as dt,g as ... L3: `;s+=`Region: ${hn.cyan(o.region)} ... L6: CloudFront ID: ${hn.cyan(o.cloudFrontId)}`,s+=` L7: CloudFront URL: ${hn.blue(o.cloudFrontUrl)}`),Ac(s,"Setup Complete!"),Ec("You are all set!")}catch(r){i.stop("Setup failed"),gn(`Error: ${r.response?.data?.message||r.message}`)}... L8: ${s.map(u=>` \u2022 ${u.path}`).join(` ... L17: `)} L18: </urlset>`}import{randomUUID as hp}from"crypto";import Ee from"path";import ai from"axios";import yp from"os";import{spinner as Tr,select as Ks,confirm as zs,isCancel as li,cancel ... L19: # --- Mach Cloud Build Script (Android) --- ... L32: export CI=true L33: export npm[redacted]=false L34: export npm[redacted]=true
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
1531patternName = generic_password severity = medium line = 1531 matchedText = `).filte...in(`
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L1531
dist/chunk-ZPETQEMG.jsView file
1import{a as m,h as V}from"./chunk-S64YFTRR.js";import{log as o,spinner as Ae,text as q,password as ve,select as ne,confirm as dt,isCancel as T,cancel as H,intro as Dt,outro as Jt,n... L2: Apple Team ID is required to fetch certificates.`)),ie.info(ae.dim("You can find this at: https://developer.apple.com/account -> Membership Details"));let e=await bt({message:"Ente...
High
Child Process

Package source references child process execution.

dist/chunk-ZPETQEMG.jsView on unpkg · L1
15L16: 1. Open: ${F.cyan("https://appstoreconnect.apple.com/access/integrations/api")} L17: 2. Find Key ID: ${F.green(v)} L18: 3. Click ${F.bold("Download API Key")} (only available once) L19: 4. Drag & drop the downloaded .p8 file below`,"Manual Step Required");let b=await Q({message:"Path to the downloaded .p8 file (drag & drop here):",validate:D=>E.existsSync(D)?void ... L20: ${c.stderr||""}`);if(p.length>0){n.stop("Select App Store Connect team");let A=await le({message:"Select the App Store Connect team to list API keys:",options:p.map(v=>({value:v.id... L21: `).split(/\r?\n/).map(n=>n.trim()).filter(Boolean);return t.length>0?t.slice(-8).join(` ... L29: `)?n:`${n} L30: `,"utf8")),r.writeZip(a),a},mt=e=>{let t=e.toLowerCase();return t==="production"||t==="prod"||t.includes("store")||t.endsWith("-production")||t.endsWith("-prod")},on=e=>{let t=e.to... L31: `).map(G=>G.trim()).filter(G=>G.length>0),te].join(" ");O(`security list-keychains -d user -s ${S}`)}}catch(R){o.warn(d.dim("Keychain setup warning (non-critical): "+R.message))}le...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-ZPETQEMG.jsView on unpkg · L15
37patternName = generic_password severity = medium line = 37 matchedText = Manual U...in(`
Medium
Secret Pattern

Hardcoded password in dist/chunk-ZPETQEMG.js

dist/chunk-ZPETQEMG.jsView on unpkg · L37
expo-plugin/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @radhya/mach@2.0.31 matchedIdentity = npm:QHJhZGh5YS9tYWNo:2.0.31 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

expo-plugin/index.jsView on unpkg

Findings

5 Critical2 High6 Medium5 Low
CriticalCritical Secretdist/index.js
CriticalSame File Env Network Executiondist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltaexpo-plugin/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/chunk-ZPETQEMG.js
HighCommand Output Exfiltrationdist/chunk-ZPETQEMG.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/chunk-ZPETQEMG.js
MediumSecret Patterndist/index.js
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings