registry  /  @tsuga/cli  /  1.2.0

@tsuga/cli@1.2.0

Tsuga CLI - manage resources from the command line

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 25 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 620 KB of source, external domains: 127.0.0.1, api.tsuga.com, example.com, mycompany.webhook.office.com, registry.npmjs.org, www.app.tsuga.com, your-company.atlassian.net

Source & flagged code

17 flagged · loading source
dist/cli.jsView file
126patternName = github_pat severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.jsView on unpkg · L126
126patternName = github_pat severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

GitHub personal access token in dist/cli.js

dist/cli.jsView on unpkg · L126
126patternName = github_oauth severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

GitHub OAuth access token in dist/cli.js

dist/cli.jsView on unpkg · L126
126patternName = github_server_token severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

GitHub server-to-server token in dist/cli.js

dist/cli.jsView on unpkg · L126
126patternName = github_fine_grained severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

GitHub fine-grained PAT in dist/cli.js

dist/cli.jsView on unpkg · L126
126patternName = aws_access_key severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

AWS access key ID in dist/cli.js

dist/cli.jsView on unpkg · L126
126patternName = private_key_rsa severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

RSA private key in dist/cli.js

dist/cli.jsView on unpkg · L126
126patternName = npm_token severity = critical line = 126 matchedText = ...`};Ob...----
Critical
Secret Pattern

npm access token in dist/cli.js

dist/cli.jsView on unpkg · L126
129patternName = slack_bot_token severity = critical line = 129 matchedText = -----END...,2)}
Critical
Secret Pattern

Slack bot token in dist/cli.js

dist/cli.jsView on unpkg · L129
13(Did you mean one of ${o.join(", ")}?)`:o.length===1?` L14: (Did you mean ${o[0]}?)`:""}vd.suggestSimilar=wU});var jd=dn(wp=>{var NU=require("node:events").EventEmitter,Rp=require("node:child_process"),pr=require("node:path"),hs=require("no... L15: - specify the name in Command constructor or using .name()`);return n=n||{},n.isDefault&&(this._defaultCommandName=t._name),(n.noHelp||n.hidden)&&(t._hidden=!0),this._registerComma...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L13
26Expecting one of '${o.join("', '")}'`);let i=`${t}Help`;return this.on(i,a=>{let c;typeof n=="function"?c=n({error:a.error,command:a.command}):c=n,c&&a.write(`${c} L27: `)}),this}_outputHelpIfRequested(t){let n=this._getHelpOption();n&&t.find(i=>n.is(i))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function $d(e){r... L28: `)}function re(e){q(JSON.stringify(e,null,2))}var ef=["json","tsv","csv"];function Gp(e){let t=ef.find(n=>n===e);if(t!==void 0)return t;throw new Error(`--output must be one of: ${... ... L36: Re-authenticate with \`tsuga auth login\` or \`tsuga auth operation-key <token>\`.`)}}function Co(){try{return ea()}catch{return{}}}function Po(e){(0,Wr.mkdirSync)(P_,{recursive:!0... L37: `,{mode:384})}function Lu(e){return e?.trim()||process.env.TSUGA_API_URL?.trim()||q0}function Uo(e){let t=ea(),n=Lu(e.apiUrl),o=Yd({overrideKey:e.operationApiKey??process.env.TSUGA... L38: `)}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L26
13(Did you mean one of ${o.join(", ")}?)`:o.length===1?` L14: (Did you mean ${o[0]}?)`:""}vd.suggestSimilar=wU});var jd=dn(wp=>{var NU=require("node:events").EventEmitter,Rp=require("node:child_process"),pr=require("node:path"),hs=require("no... L15: - specify the name in Command constructor or using .name()`);return n=n||{},n.isDefault&&(this._defaultCommandName=t._name),(n.noHelp||n.hidden)&&(t._hidden=!0),this._registerComma... ... L26: Expecting one of '${o.join("', '")}'`);let i=`${t}Help`;return this.on(i,a=>{let c;typeof n=="function"?c=n({error:a.error,command:a.command}):c=n,c&&a.write(`${c} L27: `)}),this}_outputHelpIfRequested(t){let n=this._getHelpOption();n&&t.find(i=>n.is(i))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function $d(e){r... L28: `)}function re(e){q(JSON.stringify(e,null,2))}var ef=["json","tsv","csv"];function Gp(e){let t=ef.find(n=>n===e);if(t!==void 0)return t;throw new Error(`--output must be one of: ${...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L13
129-----END PRIVATE KEY-----`,isUsingLuhnAlgorithm:!1,regexp:"-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[ \\r\\n\\t\\f\\v\\S-]{64,}?KEY(?: BLOCK)?-----"},{key:"pulumi_api... L130: `),q(m===void 0?" created":` patched (backup: ${m})`)}function kq(){q("Codex \u2192 installing Tsuga plugin"),Bc("codex",["plugin","marketplace","add",Bl]),Bc("codex",["plugin","... L131: `,c===t&&(i+=" ".repeat(a+n+2),i+=`^
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L129
126patternName = google_api_key severity = high line = 126 matchedText = ...`};Ob...----
High
Secret Pattern

Google API key in dist/cli.js

dist/cli.jsView on unpkg · L126
129patternName = stripe_test_secret severity = high line = 129 matchedText = -----END...,2)}
High
Secret Pattern

Stripe test secret key in dist/cli.js

dist/cli.jsView on unpkg · L129
129patternName = twilio_api_key severity = high line = 129 matchedText = -----END...,2)}
High
Secret Pattern

Twilio API key in dist/cli.js

dist/cli.jsView on unpkg · L129
1#!/usr/bin/env node L2: "use strict";var EU=Object.create;var gp=Object.defineProperty;var IU=Object.getOwnPropertyDescriptor;var _U=Object.getOwnPropertyNames;var bU=Object.getPrototypeOf,SU=Object.proto... L3: `)}displayWidth(t){return Ld(t).length}styleTitle(t){return t}styleUsage(t){return t.split(" ").map(n=>n==="[options]"?this.styleOptionText(n):n==="[command]"?this.styleSubcommandT... ... L13: (Did you mean one of ${o.join(", ")}?)`:o.length===1?` L14: (Did you mean ${o[0]}?)`:""}vd.suggestSimilar=wU});var jd=dn(wp=>{var NU=require("node:events").EventEmitter,Rp=require("node:child_process"),pr=require("node:path"),hs=require("no... L15: - specify the name in Command constructor or using .name()`);return n=n||{},n.isDefault&&(this._defaultCommandName=t._name),(n.noHelp||n.hidden)&&(t._hidden=!0),this._registerComma... ... L26: Expecting one of '${o.join("', '")}'`);let i=`${t}Help`;return this.on(i,a=>{let c;typeof n=="function"?c=n({error:a.error,command:a.command}):c=n,c&&a.write(`${c} L27: `)}),this}_outputHelpIfRequested(t){let n=this._getHelpOption();n&&t.find(i=>n.is(i))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function $d(e){r
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L1

Findings

9 Critical7 High4 Medium5 Low
CriticalCritical Secretdist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighRuntime Package Installdist/cli.js
HighSecret Patterndist/cli.js
HighSecret Patterndist/cli.js
HighSecret Patterndist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License