registry  /  @rightkit/release  /  0.2.5

@rightkit/release@0.2.5

Portable Right Suite release CLI/SDK: signed installers, updater artifacts, patch/update routing, hardening, R2 publish, and RightApps registration.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 15 file(s), 61.0 KB of source, external domains: api.spoares.com, github.com, pub-6c73208d46c245a9b4881d5e02f6b618.r2.dev, rightapps-license-gate.adrdsouza.workers.dev, timestamp.acs.microsoft.com

Source & flagged code

7 flagged · loading source
upload-large.test.mjsView file
4import path from "node:path"; L5: import { spawnSync } from "node:child_process"; L6: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

upload-large.test.mjsView on unpkg · L4
sign-windows.mjsView file
12"VisualStudioCodeCredential", L13: "AzurePowerShellCredential", L14: "AzureDeveloperCliCredential",
High
Shell

Package source references shell execution.

sign-windows.mjsView on unpkg · L12
release.mjsView file
59const configPath = path.resolve(opts.config); L60: const config = (await import(pathToFileURL(configPath))).default; L61: if (!config) usage(2, `config did not export default: ${configPath}`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

release.mjsView on unpkg · L59
publish-update.mjsView file
5import { fileURLToPath, pathToFileURL } from "node:url"; L6: import { spawn } from "node:child_process"; L7: ... L9: const UPLOAD = path.join(TOOL_ROOT, "upload-large.mjs"); L10: const API_BASE = process.env.RIGHTAPPS_API_URL || "https://api.spoares.com"; L11: const DOWNLOAD_BASE = process.env.RIGHTAPPS_UPDATE_DOWNLOAD_BASE || "https://rightapps-license-gate.adrdsouza.workers.dev";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

publish-update.mjsView on unpkg · L5
5import { fileURLToPath, pathToFileURL } from "node:url"; L6: import { spawn } from "node:child_process"; L7: ... L9: const UPLOAD = path.join(TOOL_ROOT, "upload-large.mjs"); L10: const API_BASE = process.env.RIGHTAPPS_API_URL || "https://api.spoares.com"; L11: const DOWNLOAD_BASE = process.env.RIGHTAPPS_UPDATE_DOWNLOAD_BASE || "https://rightapps-license-gate.adrdsouza.workers.dev"; ... L15: let configName = "right-release.config.mjs"; L16: let platform = process.platform === "win32" ? "win" : "mac"; L17: let dryRun = false; ... L119: if (!uploadedKeys.has(artifact.key)) { L120: console.log(`${dryRun ? "[dry-run] " : ""}UPLOAD private/${artifact.key}`); L121: if (!dryRun) await run(process.execPath, [UPLOAD, file, artifact.key, "private"], root);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

publish-update.mjsView on unpkg · L5
matchType = previous_version_dangerous_delta matchedPackage = @rightkit/release@0.2.3 matchedIdentity = npm:QHJpZ2h0a2l0L3JlbGVhc2U:0.2.3 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

publish-update.mjsView on unpkg
lsclean.shView file
path = lsclean.sh kind = build_helper sizeBytes = 1204 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lsclean.shView on unpkg

Findings

5 High5 Medium5 Low
HighChild Processupload-large.test.mjs
HighShellsign-windows.mjs
HighSame File Env Network Executionpublish-update.mjs
HighSandbox Evasion Gated Capabilitypublish-update.mjs
HighPrevious Version Dangerous Deltapublish-update.mjs
MediumDynamic Requirerelease.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperlsclean.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License