registry  /  @transcend-io/cli  /  10.12.2

@transcend-io/cli@10.12.2

A command line interface for programmatic operations across Transcend.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked Transcend administration CLI with expected API, filesystem, and local tool operations for importing/exporting privacy, consent, inventory, and policy data.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit invocation of the transcend CLI or legacy bin aliases
Impact
Expected read/write/API effects scoped to selected CLI commands and user-provided files
Mechanism
User-directed admin CLI operations
Rationale
Static inspection found no install-time/import-time execution, credential harvesting, exfiltration, persistence, or AI-agent control-surface mutation. Risky primitives are tied to documented, user-invoked administrative workflows for the Transcend CLI.
Evidence
package.jsondist/bin/cli.mjsdist/bin/deprecated-command.mjsdist/bin/bash-complete.mjsdist/app-Q6Dd5KY8.mjsdist/constants-B6wEjJhL.mjsdist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjsdist/impl-BoIgxdNp.mjsdist/impl-CmPkzyZT.mjs
Network endpoints3
api.transcend.ioconsent.transcend.ioapp.transcend.io

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked commands can read/write CSV/YAML/receipts and call Transcend APIs
  • dist/impl-BoIgxdNp.mjs uses execSync for git config in scan-packages
  • dist/impl-CmPkzyZT.mjs runs opa/tar/git for policy publishing
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/bin/cli.mjs only dispatches CLI args through @stricli/core
  • dist/bin/deprecated-command.mjs only prints deprecation help and exits
  • Trojan-source hint not confirmed: bidi/invisible scan of uploadPrivacyRequestsFromCsv files returned no hits
  • Network defaults are package-aligned Transcend endpoints in dist/constants-B6wEjJhL.mjs
  • No Claude/Codex/Cursor/MCP control-surface writes found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 121 file(s), 334 KB of source, external domains: api.transcend.io, api.us.transcend.io, app.transcend.io, consent.transcend.io, consent.us.transcend.io, docs.transcend.io, github.com, www.openpolicyagent.org

Source & flagged code

12 flagged · loading source
dist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjsView file
1contains invisible/control Unicode U+202D (left-to-right override) import{a as e}from"./constants-B6wEjJhL.mjs";import{t}from"./logger-B-LXIf3U.mjs";import{a as n,c as r,i,l as a,o,r as s,s as c,t as l}from"./constants-KYaYveEQ.mjs";import{n as u,t as d}from"./fuzzyMatchColumns-Dym9eeQe.mjs";import{n as f,
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjsView on unpkg · L1
Trigger-reachable chain: manifest.main -> dist/index.mjs -> [redacted]-DtdcpxcS.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjsView on unpkg
README.mdView file
1706patternName = generic_password severity = medium line = 1706 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1706
2054patternName = generic_password severity = medium line = 2054 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2054
2630patternName = generic_password severity = medium line = 2630 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2630
2739patternName = generic_password severity = medium line = 2739 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2739
2754patternName = generic_password severity = medium line = 2754 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L2754
3332patternName = generic_password severity = medium line = 3332 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3332
3343patternName = generic_password severity = medium line = 3343 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3343
3355patternName = generic_password severity = medium line = 3355 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3355
3367patternName = generic_password severity = medium line = 3367 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3367
3379patternName = generic_password severity = medium line = 3379 matchedText = --passwo...D" \
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L3379

Findings

2 Critical12 Medium4 Low
CriticalTrojan Source Unicodedist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/uploadPrivacyRequestsFromCsv-DtdcpxcS.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings