registry  /  @rightkit/release  /  0.2.21

@rightkit/release@0.2.21

Portable Right Suite release CLI/SDK: signed installers, updater artifacts, patch/update routing, hardening, R2 publish, and RightApps registration.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 35 file(s), 171 KB of source, external domains: api.cloudflare.com, api.spoares.com, evil.invalid, example.invalid, example.test, github.com, huggingface.co, index.crates.io, pub-6c73208d46c245a9b4881d5e02f6b618.r2.dev, rightapps-license-gate.adrdsouza.workers.dev, rightapps.example, timestamp.acs.microsoft.com

Source & flagged code

4 flagged · loading source
release.mjsView file
58const configPath = path.resolve(opts.config); L59: const config = (await import(pathToFileURL(configPath))).default; L60: if (!config) usage(2, `config did not export default: ${configPath}`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

release.mjsView on unpkg · L58
publish-update.mjsView file
5import { fileURLToPath, pathToFileURL } from "node:url"; L6: import { spawn } from "node:child_process"; L7: import { pruneReleaseObjects } from "./prune-r2.mjs"; ... L12: const UPLOAD = path.join(TOOL_ROOT, "upload-large.mjs"); L13: const API_BASE = process.env.RIGHTAPPS_API_URL || "https://api.spoares.com"; L14: const DOWNLOAD_BASE = process.env.RIGHTAPPS_UPDATE_DOWNLOAD_BASE || "https://rightapps-license-gate.adrdsouza.workers.dev"; L15: const PUBLIC_BASE = process.env.RIGHTAPPS_PUBLIC_DOWNLOAD_BASE || "https://pub-[redacted].r2.dev"; L16: const PIPELINE_VERSION = JSON.parse(await readFile(path.join(TOOL_ROOT, "package.json"), "utf8")).version; L17: const tier = process.env.RIGHT_RELEASE_TIER || ""; ... L19: let configName = "right-release.config.mjs"; L20: let platform = process.platform === "win32" ? "win" : "mac"; L21: let dryRun = false;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

publish-update.mjsView on unpkg · L5
matchType = previous_version_dangerous_delta matchedPackage = @rightkit/release@0.2.19 matchedIdentity = npm:QHJpZ2h0a2l0L3JlbGVhc2U:0.2.19 similarity = 0.808 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

publish-update.mjsView on unpkg
lsclean.shView file
path = lsclean.sh kind = build_helper sizeBytes = 1204 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lsclean.shView on unpkg

Findings

2 High5 Medium5 Low
HighSandbox Evasion Gated Capabilitypublish-update.mjs
HighPrevious Version Dangerous Deltapublish-update.mjs
MediumDynamic Requirerelease.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperlsclean.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License