registry  /  @stacksjs/ts-cloud  /  0.6.0

@stacksjs/ts-cloud@0.6.0

A lightweight, performant infrastructure-as-code library and CLI for deploying both server-based (EC2) and serverless applications.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are aligned with a cloud deployment CLI and library and are activated by imports or explicit CLI commands, not npm install lifecycle execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the library or runs the cloud CLI commands.
Impact
Can deploy, mutate, or delete user cloud resources when explicitly invoked with user credentials.
Mechanism
AWS/cloud infrastructure management and deployment operations
Rationale
Scanner findings map to expected behavior for an infrastructure-as-code package: credential resolution, signed AWS/API requests, and user-invoked deployment/build commands. There is no install-time execution, credential exfiltration endpoint, persistence, destructive hidden behavior, or AI-agent control hijack in the inspected source.
Evidence
package.jsonREADME.mddist/index.jsdist/bin/cli.js
Network endpoints9
sts.amazonaws.comapi.porkbun.com/api/json/v3api.godaddy.comapi.ote-godaddy.comapi.cloudflare.com/client/v4169.254.169.254169.254.170.2nodejs.org/dist/index.jsongithub.com/oven-sh/bun/releases/latest/download/${bunArch}.zip

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly only runs on package publishing.
    • README.md describes an AWS infrastructure/CLI tool for deploy, DNS, storage, secrets, logs, and cost commands.
    • dist/index.js reads AWS credentials from env, ~/.aws/credentials, IMDS/ECS, and web identity for AWS signing, not for exfiltration.
    • dist/index.js network calls are package-aligned AWS, DNS provider, runtime download, and localhost dashboard endpoints.
    • dist/index.js child_process use is user-invoked build/deploy behavior: build hooks, curl downloads, tar/unzip for runtime layers.
    • No AI-agent config/control-surface writes or lifecycle persistence found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 2.68 MB of source, external domains: 127.0.0.1, 169.254.169.254, 169.254.170.2, analytics.stacksjs.com, api.cloudflare.com, api.example.com, api.godaddy.com, api.ote-godaddy.com, api.porkbun.com, aws.amazon.com, awscli.amazonaws.com, bun.sh, caddyserver.com, cloudfront.amazonaws.com, console.aws.amazon.com, deno.land, dl.cloudsmith.io, github.com, json-schema.org, nodejs.org, raw.githubusercontent.com, route53.amazonaws.com, rpm.nodesource.com, rpms.remirepo.net, s3.amazonaws.com, sqs.us-east-1.amazonaws.com, sts.amazonaws.com, wordpress.org, www.w3.org
    Oversized source lightweight scan
    dist/index.js2.88 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsCryptoShellDynamicRequireHighEntropyStringsUrlStringsrpm.nodesource.coms3.amazonaws.com

    Source & flagged code

    19 flagged · loading source
    dist/bin/cli.jsView file
    530patternName = aws_access_key severity = critical line = 530 matchedText = `)}funct...in(`
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/bin/cli.jsView on unpkg · L530
    58</ChangeBatch> L59: </ChangeResourceRecordSetsRequest>`;let Z=await this.client.request({service:"route53",region:this.region,method:"POST",path:`/2013-04-01/hostedzone/${J}/rrset`,headers:{"content-t... L60: `),k=m8(x),y=[j,O,E,k].join(` ... L70: `)+` L71: `}function kz($){return Object.keys($).sort().map((J)=>J.toLowerCase()).join(";")}function Z7($){let J=[];return $.forEach((Y,Z)=>{J.push([mJ(Z),mJ(Y)])}),J.sort((Y,Z)=>{if(Y[0]<Z[... L72: ${this.convertToYAML(G,J+1)}`;else if(Array.isArray(G)){Z+=`${Y}${Q}:
    Critical
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution with blocking evidence.

    dist/bin/cli.jsView on unpkg · L58
    2// @bun L3: import{createRequire as VB}from"node:module";var FB=Object.defineProperty;var BB=($)=>$;function KB($,J){this[$]=BB.bind(null,J)}var h0=($,J)=>{for(var Y in J)FB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${F0.bright}${F0.cyan}${$}${F0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/bin/cli.jsView on unpkg · L2
    2Trigger-reachable chain: manifest.bin -> dist/bin/cli.js L2: // @bun L3: import{createRequire as VB}from"node:module";var FB=Object.defineProperty;var BB=($)=>$;function KB($,J){this[$]=BB.bind(null,J)}var h0=($,J)=>{for(var Y in J)FB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${F0.bright}${F0.cyan}${$}${F0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.…
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/bin/cli.jsView on unpkg · L2
    530patternName = aws_access_key severity = critical line = 530 matchedText = `)}funct...in(`
    Critical
    Secret Pattern

    AWS access key ID in dist/bin/cli.js

    dist/bin/cli.jsView on unpkg · L530
    8041patternName = private_key_rsa severity = critical line = 8041 matchedText = Team mem...it(`
    Critical
    Secret Pattern

    RSA private key in dist/bin/cli.js

    dist/bin/cli.jsView on unpkg · L8041
    8041patternName = private_key_ec severity = critical line = 8041 matchedText = Team mem...it(`
    Critical
    Secret Pattern

    EC private key in dist/bin/cli.js

    dist/bin/cli.jsView on unpkg · L8041
    8041patternName = private_key_openssh severity = critical line = 8041 matchedText = Team mem...it(`
    Critical
    Secret Pattern

    OpenSSH private key in dist/bin/cli.js

    dist/bin/cli.jsView on unpkg · L8041
    58</ChangeBatch> L59: </ChangeResourceRecordSetsRequest>`;let Z=await this.client.request({service:"route53",region:this.region,method:"POST",path:`/2013-04-01/hostedzone/${J}/rrset`,headers:{"content-t... L60: `),k=m8(x),y=[j,O,E,k].join(`
    High
    Child Process

    Package source references child process execution.

    dist/bin/cli.jsView on unpkg · L58
    7463`);return[`mkdir -p ${Z}`,`(cd ${I2} && ${G} add @stacksjs/tlsx@${W}) || true`,...H8(V,_,"TS_CLOUD_RENEW_EOF"),`chmod +x ${V}`,...H8(`/etc/systemd/system/${A}`,E,"TS_CLOUD_RENEW_SV... L7464: `),"TS_CLOUD_RPX_UNIT_EOF"),"systemctl daemon-reload","systemctl disable --now bun-gateway.service 2>/dev/null || true","systemctl disable --now ts-cloud-nginx.service 2>/dev/null ... L7465: `,"utf8")}var FX=".ts-cloud/state";var KX=()=>{};import{existsSync as pT,readFileSync as rT}from"node:fs";import{homedir as nT}from"node:os";import{join as iT}from"node:path";impor... L7466: `),Y=[];for(let Q of $.targets){if(!Q.publicIp){Y.push({instanceId:Q.id,status:"Failed",error:"Missing public IP"});continue}try{let G=this.sshExec(Q.publicIp,J);Y.push({instanceId... L7467: ${Q}`)}catch(Q){if(Q instanceof Error&&/cloud-init reported an error/.test(Q.message))throw Q}await this.sleep(J)}throw Error(`Timed out waiting for cloud-init to finish on ${$} af... L7468: `);try{let Y=Bun.spawn(["bash","-c",J],{stdout:"pipe",stderr:"pipe",env:process.env}),[Z,Q,G]=await Promise.all([new Response(Y.stdout).text(),new Response(Y.stderr).text(),Y.exite... L7469: `)}function tT($){return`"${$.replace(/\\/g,"\\
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/bin/cli.jsView on unpkg · L7463
    2// @bun L3: import{createRequire as VB}from"node:module";var FB=Object.defineProperty;var BB=($)=>$;function KB($,J){this[$]=BB.bind(null,J)}var h0=($,J)=>{for(var Y in J)FB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${F0.bright}${F0.cyan}${$}${F0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/bin/cli.jsView on unpkg · L2
    2// @bun L3: import{createRequire as VB}from"node:module";var FB=Object.defineProperty;var BB=($)=>$;function KB($,J){this[$]=BB.bind(null,J)}var h0=($,J)=>{for(var Y in J)FB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${F0.bright}${F0.cyan}${$}${F0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/bin/cli.jsView on unpkg · L2
    9`)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/bin/cli.jsView on unpkg · L9
    2// @bun L3: import{createRequire as VB}from"node:module";var FB=Object.defineProperty;var BB=($)=>$;function KB($,J){this[$]=BB.bind(null,J)}var h0=($,J)=>{for(var Y in J)FB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${F0.bright}${F0.cyan}${$}${F0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/bin/cli.jsView on unpkg · L2
    7315patternName = generic_password severity = medium line = 7315 matchedText = `,Q}}var...in(`
    Medium
    Secret Pattern

    Hardcoded password in dist/bin/cli.js

    dist/bin/cli.jsView on unpkg · L7315
    2// @bun L3: import{createRequire as VB}from"node:module";var FB=Object.defineProperty;var BB=($)=>$;function KB($,J){this[$]=BB.bind(null,J)}var h0=($,J)=>{for(var Y in J)FB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${F0.bright}${F0.cyan}${$}${F0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function T0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${F0.cyan}?${F0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(u2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(u2(`│ ${G.padEnd(Z)} │`,J))}),console.log(u2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/bin/cli.jsView on unpkg · L2
    dist/index.jsView file
    path = dist/index.js kind = oversized_source_file sizeBytes = 3023826 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/index.jsView on unpkg
    dist/push/fcm.d.tsView file
    14patternName = private_key_rsa severity = critical line = 14 matchedText = * priv.....',
    Critical
    Secret Pattern

    RSA private key in dist/push/fcm.d.ts

    dist/push/fcm.d.tsView on unpkg · L14
    dist/push/index.d.tsView file
    31patternName = private_key_rsa severity = critical line = 31 matchedText = * priv.....',
    Critical
    Secret Pattern

    RSA private key in dist/push/index.d.ts

    dist/push/index.d.tsView on unpkg · L31

    Findings

    10 Critical6 High6 Medium7 Low
    CriticalCritical Secretdist/bin/cli.js
    CriticalSame File Env Network Executiondist/bin/cli.js
    CriticalCredential Exfiltrationdist/bin/cli.js
    CriticalTrigger Reachable Dangerous Capabilitydist/bin/cli.js
    CriticalSecret Patterndist/bin/cli.js
    CriticalSecret Patterndist/bin/cli.js
    CriticalSecret Patterndist/bin/cli.js
    CriticalSecret Patterndist/bin/cli.js
    CriticalSecret Patterndist/push/fcm.d.ts
    CriticalSecret Patterndist/push/index.d.ts
    HighChild Processdist/bin/cli.js
    HighShell
    HighCommand Output Exfiltrationdist/bin/cli.js
    HighSandbox Evasion Gated Capabilitydist/bin/cli.js
    HighCloud Metadata Accessdist/bin/cli.js
    HighOversized Source Filedist/index.js
    MediumDynamic Requiredist/bin/cli.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/bin/cli.js
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/bin/cli.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptodist/bin/cli.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings