registry  /  @stacksjs/ts-cloud  /  0.5.32

@stacksjs/ts-cloud@0.5.32

⚠ Under review

A lightweight, performant infrastructure-as-code library and CLI for deploying both server-based (EC2) and serverless applications.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 29 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.66 MB of source, external domains: 127.0.0.1, 169.254.169.254, 169.254.170.2, analytics.stacksjs.com, api.cloudflare.com, api.example.com, api.godaddy.com, api.ote-godaddy.com, api.porkbun.com, aws.amazon.com, awscli.amazonaws.com, bun.sh, caddyserver.com, cloudfront.amazonaws.com, console.aws.amazon.com, deno.land, dl.cloudsmith.io, github.com, json-schema.org, nodejs.org, raw.githubusercontent.com, route53.amazonaws.com, rpm.nodesource.com, rpms.remirepo.net, s3.amazonaws.com, sqs.us-east-1.amazonaws.com, sts.amazonaws.com, wordpress.org, www.w3.org
Oversized source lightweight scan
dist/index.js2.84 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellDynamicRequireHighEntropyStringsUrlStrings127.0.0.1rpm.nodesource.coms3.amazonaws.com

Source & flagged code

19 flagged · loading source
dist/bin/cli.jsView file
530patternName = aws_access_key severity = critical line = 530 matchedText = `)}funct...in(`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/bin/cli.jsView on unpkg · L530
58</ChangeBatch> L59: </ChangeResourceRecordSetsRequest>`;let Z=await this.client.request({service:"route53",region:this.region,method:"POST",path:`/2013-04-01/hostedzone/${J}/rrset`,headers:{"content-t... L60: `),b=P8(I),y=[E,V,M,b].join(` ... L70: `)+` L71: `}function Zz($){return Object.keys($).sort().map((J)=>J.toLowerCase()).join(";")}function v6($){let J=[];return $.forEach((Y,Z)=>{J.push([qJ(Z),qJ(Y)])}),J.sort((Y,Z)=>{if(Y[0]<Z[... L72: ${this.convertToYAML(G,J+1)}`;else if(Array.isArray(G)){Z+=`${Y}${Q}:
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/bin/cli.jsView on unpkg · L58
2// @bun L3: import{createRequire as MX}from"node:module";var jX=Object.defineProperty;var LX=($)=>$;function EX($,J){this[$]=LX.bind(null,J)}var h0=($,J)=>{for(var Y in J)jX($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[F,...B]=U.split("="),K=B.jo... L5: `).join(""),E=_.map((b)=>b.toLowerCase()).join(";"),j=[Q,A,V,M,E,O].join(` ... L8: ${X0.bright}${X0.cyan}${$}${X0.reset} L9: `)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/bin/cli.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> dist/bin/cli.js L2: // @bun L3: import{createRequire as MX}from"node:module";var jX=Object.defineProperty;var LX=($)=>$;function EX($,J){this[$]=LX.bind(null,J)}var h0=($,J)=>{for(var Y in J)jX($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[F,...B]=U.split("="),K=B.jo... L5: `).join(""),E=_.map((b)=>b.toLowerCase()).join(";"),j=[Q,A,V,M,E,O].join(` ... L8: ${X0.bright}${X0.cyan}${$}${X0.reset} L9: `)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin/cli.jsView on unpkg · L2
530patternName = aws_access_key severity = critical line = 530 matchedText = `)}funct...in(`
Critical
Secret Pattern

AWS access key ID in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L530
8032patternName = private_key_rsa severity = critical line = 8032 matchedText = Team mem...it(`
Critical
Secret Pattern

RSA private key in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L8032
8032patternName = private_key_ec severity = critical line = 8032 matchedText = Team mem...it(`
Critical
Secret Pattern

EC private key in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L8032
8032patternName = private_key_openssh severity = critical line = 8032 matchedText = Team mem...it(`
Critical
Secret Pattern

OpenSSH private key in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L8032
58</ChangeBatch> L59: </ChangeResourceRecordSetsRequest>`;let Z=await this.client.request({service:"route53",region:this.region,method:"POST",path:`/2013-04-01/hostedzone/${J}/rrset`,headers:{"content-t... L60: `),b=P8(I),y=[E,V,M,b].join(`
High
Child Process

Package source references child process execution.

dist/bin/cli.jsView on unpkg · L58
7458`);return[`mkdir -p ${Z}`,`(cd ${R2} && ${G} add @stacksjs/tlsx@${W}) || true`,...e$(O,_,"TS_CLOUD_RENEW_EOF"),`chmod +x ${O}`,...e$(`/etc/systemd/system/${A}`,M,"TS_CLOUD_RENEW_SV... L7459: `),"TS_CLOUD_RPX_UNIT_EOF"),"systemctl daemon-reload","systemctl disable --now bun-gateway.service 2>/dev/null || true","systemctl disable --now ts-cloud-nginx.service 2>/dev/null ... L7460: `,"utf8")}var bH=".ts-cloud/state";var vH=()=>{};import{existsSync as oq,readFileSync as eq}from"node:fs";import{homedir as $T}from"node:os";import{join as JT}from"node:path";impor... L7461: `),Y=[];for(let Q of $.targets){if(!Q.publicIp){Y.push({instanceId:Q.id,status:"Failed",error:"Missing public IP"});continue}try{let G=this.sshExec(Q.publicIp,J);Y.push({instanceId... L7462: ${Q}`)}catch(Q){if(Q instanceof Error&&/cloud-init reported an error/.test(Q.message))throw Q}await this.sleep(J)}throw Error(`Timed out waiting for cloud-init to finish on ${$} af... L7463: `);try{let Y=Bun.spawn(["bash","-c",J],{stdout:"pipe",stderr:"pipe",env:process.env}),[Z,Q,G]=await Promise.all([new Response(Y.stdout).text(),new Response(Y.stderr).text(),Y.exite... L7464: `)}function ZT($){return`"${$.replace(/\\/g,"\\
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/cli.jsView on unpkg · L7458
2// @bun L3: import{createRequire as MX}from"node:module";var jX=Object.defineProperty;var LX=($)=>$;function EX($,J){this[$]=LX.bind(null,J)}var h0=($,J)=>{for(var Y in J)jX($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[F,...B]=U.split("="),K=B.jo... L5: `).join(""),E=_.map((b)=>b.toLowerCase()).join(";"),j=[Q,A,V,M,E,O].join(` ... L8: ${X0.bright}${X0.cyan}${$}${X0.reset} L9: `)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/cli.jsView on unpkg · L2
2// @bun L3: import{createRequire as MX}from"node:module";var jX=Object.defineProperty;var LX=($)=>$;function EX($,J){this[$]=LX.bind(null,J)}var h0=($,J)=>{for(var Y in J)jX($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[F,...B]=U.split("="),K=B.jo... L5: `).join(""),E=_.map((b)=>b.toLowerCase()).join(";"),j=[Q,A,V,M,E,O].join(` ... L8: ${X0.bright}${X0.cyan}${$}${X0.reset} L9: `)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/bin/cli.jsView on unpkg · L2
9`)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/cli.jsView on unpkg · L9
2// @bun L3: import{createRequire as MX}from"node:module";var jX=Object.defineProperty;var LX=($)=>$;function EX($,J){this[$]=LX.bind(null,J)}var h0=($,J)=>{for(var Y in J)jX($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[F,...B]=U.split("="),K=B.jo... L5: `).join(""),E=_.map((b)=>b.toLowerCase()).join(";"),j=[Q,A,V,M,E,O].join(` ... L8: ${X0.bright}${X0.cyan}${$}${X0.reset} L9: `)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/bin/cli.jsView on unpkg · L2
7315patternName = generic_password severity = medium line = 7315 matchedText = `,Q}}var...in(`
Medium
Secret Pattern

Hardcoded password in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L7315
2// @bun L3: import{createRequire as MX}from"node:module";var jX=Object.defineProperty;var LX=($)=>$;function EX($,J){this[$]=LX.bind(null,J)}var h0=($,J)=>{for(var Y in J)jX($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[F,...B]=U.split("="),K=B.jo... L5: `).join(""),E=_.map((b)=>b.toLowerCase()).join(";"),j=[Q,A,V,M,E,O].join(` ... L8: ${X0.bright}${X0.cyan}${$}${X0.reset} L9: `)}class N{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${X0.cyan}?${X0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(h2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(h2(`│ ${G.padEnd(Z)} │`,J))}),console.log(h2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin/cli.jsView on unpkg · L2
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 2975496 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
dist/push/fcm.d.tsView file
14patternName = private_key_rsa severity = critical line = 14 matchedText = * priv.....',
Critical
Secret Pattern

RSA private key in dist/push/fcm.d.ts

dist/push/fcm.d.tsView on unpkg · L14
dist/push/index.d.tsView file
31patternName = private_key_rsa severity = critical line = 31 matchedText = * priv.....',
Critical
Secret Pattern

RSA private key in dist/push/index.d.ts

dist/push/index.d.tsView on unpkg · L31

Findings

10 Critical6 High6 Medium7 Low
CriticalCritical Secretdist/bin/cli.js
CriticalSame File Env Network Executiondist/bin/cli.js
CriticalCredential Exfiltrationdist/bin/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/push/fcm.d.ts
CriticalSecret Patterndist/push/index.d.ts
HighChild Processdist/bin/cli.js
HighShell
HighCommand Output Exfiltrationdist/bin/cli.js
HighSandbox Evasion Gated Capabilitydist/bin/cli.js
HighCloud Metadata Accessdist/bin/cli.js
HighOversized Source Filedist/index.js
MediumDynamic Requiredist/bin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/bin/cli.js
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/bin/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/bin/cli.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings