registry  /  @stacksjs/ts-cloud  /  0.7.3

@stacksjs/ts-cloud@0.7.3

⚠ Under review

A lightweight, performant infrastructure-as-code library and CLI for deploying both server-based (EC2) and serverless applications.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 29 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.69 MB of source, external domains: 127.0.0.1, 169.254.169.254, 169.254.170.2, analytics.stacksjs.com, api.cloudflare.com, api.example.com, api.godaddy.com, api.ote-godaddy.com, api.porkbun.com, aws.amazon.com, awscli.amazonaws.com, bun.sh, caddyserver.com, cloudfront.amazonaws.com, console.aws.amazon.com, deno.land, dl.cloudsmith.io, github.com, json-schema.org, nodejs.org, raw.githubusercontent.com, route53.amazonaws.com, rpm.nodesource.com, rpms.remirepo.net, s3.amazonaws.com, sqs.us-east-1.amazonaws.com, sts.amazonaws.com, wordpress.org, www.w3.org
Oversized source lightweight scan
dist/index.js2.89 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellDynamicRequireHighEntropyStringsUrlStringsrpm.nodesource.coms3.amazonaws.com

Source & flagged code

19 flagged · loading source
dist/bin/cli.jsView file
530patternName = aws_access_key severity = critical line = 530 matchedText = `)}funct...in(`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/bin/cli.jsView on unpkg · L530
58</ChangeBatch> L59: </ChangeResourceRecordSetsRequest>`;let Z=await this.client.request({service:"route53",region:this.region,method:"POST",path:`/2013-04-01/hostedzone/${J}/rrset`,headers:{"content-t... L60: `),k=s8(x),y=[j,O,E,k].join(` ... L70: `)+` L71: `}function hz($){return Object.keys($).sort().map((J)=>J.toLowerCase()).join(";")}function z7($){let J=[];return $.forEach((Y,Z)=>{J.push([lJ(Z),lJ(Y)])}),J.sort((Y,Z)=>{if(Y[0]<Z[... L72: ${this.convertToYAML(G,J+1)}`;else if(Array.isArray(G)){Z+=`${Y}${Q}:
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/bin/cli.jsView on unpkg · L58
2// @bun L3: import{createRequire as AB}from"node:module";var KB=Object.defineProperty;var VB=($)=>$;function OB($,J){this[$]=VB.bind(null,J)}var h0=($,J)=>{for(var Y in J)KB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${K0.bright}${K0.cyan}${$}${K0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/bin/cli.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> dist/bin/cli.js L2: // @bun L3: import{createRequire as AB}from"node:module";var KB=Object.defineProperty;var VB=($)=>$;function OB($,J){this[$]=VB.bind(null,J)}var h0=($,J)=>{for(var Y in J)KB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${K0.bright}${K0.cyan}${$}${K0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin/cli.jsView on unpkg · L2
530patternName = aws_access_key severity = critical line = 530 matchedText = `)}funct...in(`
Critical
Secret Pattern

AWS access key ID in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L530
8052patternName = private_key_rsa severity = critical line = 8052 matchedText = Team mem...it(`
Critical
Secret Pattern

RSA private key in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L8052
8052patternName = private_key_ec severity = critical line = 8052 matchedText = Team mem...it(`
Critical
Secret Pattern

EC private key in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L8052
8052patternName = private_key_openssh severity = critical line = 8052 matchedText = Team mem...it(`
Critical
Secret Pattern

OpenSSH private key in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L8052
58</ChangeBatch> L59: </ChangeResourceRecordSetsRequest>`;let Z=await this.client.request({service:"route53",region:this.region,method:"POST",path:`/2013-04-01/hostedzone/${J}/rrset`,headers:{"content-t... L60: `),k=s8(x),y=[j,O,E,k].join(`
High
Child Process

Package source references child process execution.

dist/bin/cli.jsView on unpkg · L58
7474`);return[`mkdir -p ${Z}`,`(cd ${b2} && ${G} add @stacksjs/tlsx@${W}) || true`,...K8(V,_,"TS_CLOUD_RENEW_EOF"),`chmod +x ${V}`,...K8(`/etc/systemd/system/${A}`,E,"TS_CLOUD_RENEW_SV... L7475: `),"TS_CLOUD_RPX_UNIT_EOF"),"systemctl daemon-reload","systemctl disable --now bun-gateway.service 2>/dev/null || true","systemctl disable --now ts-cloud-nginx.service 2>/dev/null ... L7476: `,"utf8")}var KX=".ts-cloud/state";var OX=()=>{};import{existsSync as iT,readFileSync as aT}from"node:fs";import{homedir as tT}from"node:os";import{join as sT}from"node:path";impor... L7477: `),Y=[];for(let Q of $.targets){if(!Q.publicIp){Y.push({instanceId:Q.id,status:"Failed",error:"Missing public IP"});continue}try{let G=this.sshExec(Q.publicIp,J);Y.push({instanceId... L7478: ${Q}`)}catch(Q){if(Q instanceof Error&&/cloud-init reported an error/.test(Q.message))throw Q}await this.sleep(J)}throw Error(`Timed out waiting for cloud-init to finish on ${$} af... L7479: `);try{let Y=Bun.spawn(["bash","-c",J],{stdout:"pipe",stderr:"pipe",env:process.env}),[Z,Q,G]=await Promise.all([new Response(Y.stdout).text(),new Response(Y.stderr).text(),Y.exite... L7480: `)}function eT($){return`"${$.replace(/\\/g,"\\
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/cli.jsView on unpkg · L7474
2// @bun L3: import{createRequire as AB}from"node:module";var KB=Object.defineProperty;var VB=($)=>$;function OB($,J){this[$]=VB.bind(null,J)}var h0=($,J)=>{for(var Y in J)KB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${K0.bright}${K0.cyan}${$}${K0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/cli.jsView on unpkg · L2
2// @bun L3: import{createRequire as AB}from"node:module";var KB=Object.defineProperty;var VB=($)=>$;function OB($,J){this[$]=VB.bind(null,J)}var h0=($,J)=>{for(var Y in J)KB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${K0.bright}${K0.cyan}${$}${K0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/bin/cli.jsView on unpkg · L2
9`)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/cli.jsView on unpkg · L9
2// @bun L3: import{createRequire as AB}from"node:module";var KB=Object.defineProperty;var VB=($)=>$;function OB($,J){this[$]=VB.bind(null,J)}var h0=($,J)=>{for(var Y in J)KB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${K0.bright}${K0.cyan}${$}${K0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/bin/cli.jsView on unpkg · L2
7315patternName = generic_password severity = medium line = 7315 matchedText = `,Q}}var...in(`
Medium
Secret Pattern

Hardcoded password in dist/bin/cli.js

dist/bin/cli.jsView on unpkg · L7315
2// @bun L3: import{createRequire as AB}from"node:module";var KB=Object.defineProperty;var VB=($)=>$;function OB($,J){this[$]=VB.bind(null,J)}var h0=($,J)=>{for(var Y in J)KB($,Y,{get:J[Y],enum... L4: `),Z="",Q="",G="",W;for(let z of Y){let U=z.trim();if(!U||U.startsWith("#"))continue;let H=U.match(/^\[([^\]]+)\]$/);if(H){Z=H[1];continue}if(Z===J){let[X,...B]=U.split("="),K=B.jo... L5: `).join(""),j=_.map((k)=>k.toLowerCase()).join(";"),T=[Q,A,O,E,j,V].join(` ... L8: ${K0.bright}${K0.cyan}${$}${K0.reset} L9: `)}class P{frames=["⠋","⠙","⠹","⠸","⠼","⠴","⠦","⠧","⠇","⠏"];interval=null;currentFrame=0;message;constructor($){this.message=$}get text(){return this.message}set text($){if(this.me... L10: `)}}async function w0($,J){let Z=(await import("node:readline")).createInterface({input:process.stdin,output:process.stdout});return new Promise((Q)=>{let G=J?`${K0.cyan}?${K0.rese... L11: `),Z=Math.max(...Y.map((G)=>G.length)),Q="─".repeat(Z+2);console.log(c2(`┌${Q}┐`,J)),Y.forEach((G)=>{console.log(c2(`│ ${G.padEnd(Z)} │`,J))}),console.log(c2(`└${Q}┘`,J))}async fun... L12: <CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> ... L15: <HostedZoneConfig>`,$.Hoste
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin/cli.jsView on unpkg · L2
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 3035389 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
dist/push/fcm.d.tsView file
14patternName = private_key_rsa severity = critical line = 14 matchedText = * priv.....',
Critical
Secret Pattern

RSA private key in dist/push/fcm.d.ts

dist/push/fcm.d.tsView on unpkg · L14
dist/push/index.d.tsView file
31patternName = private_key_rsa severity = critical line = 31 matchedText = * priv.....',
Critical
Secret Pattern

RSA private key in dist/push/index.d.ts

dist/push/index.d.tsView on unpkg · L31

Findings

10 Critical6 High6 Medium7 Low
CriticalCritical Secretdist/bin/cli.js
CriticalSame File Env Network Executiondist/bin/cli.js
CriticalCredential Exfiltrationdist/bin/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/bin/cli.js
CriticalSecret Patterndist/push/fcm.d.ts
CriticalSecret Patterndist/push/index.d.ts
HighChild Processdist/bin/cli.js
HighShell
HighCommand Output Exfiltrationdist/bin/cli.js
HighSandbox Evasion Gated Capabilitydist/bin/cli.js
HighCloud Metadata Accessdist/bin/cli.js
HighOversized Source Filedist/index.js
MediumDynamic Requiredist/bin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/bin/cli.js
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/bin/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/bin/cli.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings