registry  /  @vm0/cli  /  9.220.8

@vm0/cli@9.220.8

⚠ Under review

CLI application

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 30 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 597 file(s), 8.21 MB of source, external domains: 7i30hpv4bo9ud5mhianq.pika.art, a.klaviyo.com, account-d.docusign.com, account.docusign.com, account.mapbox.com, actions.zapier.com, admin.explorium.ai, admin.typeform.com, aeroapi.flightaware.com, ahrefs.com, ai-gateway.vercel.sh, aistudio.google.com, amplitude.com, analytics.eu.amplitude.com, analyticsadmin.googleapis.com, analyticsdata.googleapis.com, api-cloud.browserstack.com, api-dashboard.search.brave.com, api-inference.huggingface.co, api-ipv4.porkbun.com, api.adzuna.com, api.agentmail.to, api.agora.io, api.ahrefs.com, api.airtable.com, api.amadeus.com, api.anthropic.com, api.apify.com, api.apollo.io, api.ashbyhq.com, api.atlascloud.ai, api.atlassian.com, api.attio.com, api.aviationstack.com, api.axiom.co, api.bfl.ai, api.bitrefill.com, api.bland.ai, api.box.com, api.brevo.com, api.brex.com, api.brightdata.com, api.browser-use.com, api.browserbase.com, api.browserstack.com, api.bubblemaps.io, api.buffer.com, api.bufferapp.com, api.builtwith.com, api.cal.com

Source & flagged code

22 flagged · loading source
doctor-GB74EIN6.jsView file
4682patternName = stripe_live_secret severity = critical line = 4682 matchedText = "FAL_TOK...eLo"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

doctor-GB74EIN6.jsView on unpkg · L4682
4682patternName = stripe_live_secret severity = critical line = 4682 matchedText = "FAL_TOK...eLo"
Critical
Secret Pattern

Stripe live secret key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L4682
4803patternName = github_oauth severity = critical line = 4803 matchedText = "GH_TOKE...f0",
Critical
Secret Pattern

GitHub OAuth access token in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L4803
4804patternName = github_oauth severity = critical line = 4804 matchedText = "GITHUB_...f0",
Critical
Secret Pattern

GitHub OAuth access token in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L4804
4805patternName = github_oauth severity = critical line = 4805 matchedText = "GITHUB_...Of0"
Critical
Secret Pattern

GitHub OAuth access token in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L4805
5721patternName = supabase_service_key severity = critical line = 5721 matchedText = "MONDAY_...oc",
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L5721
5722patternName = supabase_service_key severity = critical line = 5722 matchedText = "MONDAY_...Loc"
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L5722
6470patternName = sendgrid_api_key severity = critical line = 6470 matchedText = "SENDGRI...oca"
Critical
Secret Pattern

SendGrid API key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6470
6573patternName = slack_bot_token severity = critical line = 6573 matchedText = "SLACK_A...af",
Critical
Secret Pattern

Slack bot token in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6573
6574patternName = slack_bot_token severity = critical line = 6574 matchedText = "SLACK_T...Saf"
Critical
Secret Pattern

Slack bot token in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6574
6600patternName = supabase_service_key severity = critical line = 6600 matchedText = "SLOCK_A...ff",
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6600
6602patternName = supabase_service_key severity = critical line = 6602 matchedText = "SLOCK_T...0ff"
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6602
6756patternName = stripe_live_secret severity = critical line = 6756 matchedText = "STRIPE_...ff",
Critical
Secret Pattern

Stripe live secret key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6756
6757patternName = stripe_live_secret severity = critical line = 6757 matchedText = "STRIPE_...off"
Critical
Secret Pattern

Stripe live secret key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6757
6939patternName = supabase_service_key severity = critical line = 6939 matchedText = "TWENTY_...eLo"
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L6939
7065patternName = stripe_live_secret severity = critical line = 7065 matchedText = "WORKOS_...fee"
Critical
Secret Pattern

Stripe live secret key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L7065
4252patternName = stripe_test_secret severity = high line = 4252 matchedText = "CLERK_T...eSa"
High
Secret Pattern

Stripe test secret key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L4252
4789patternName = google_api_key severity = high line = 4789 matchedText = "GEMINI_...ffe"
High
Secret Pattern

Google API key in doctor-GB74EIN6.js

doctor-GB74EIN6.jsView on unpkg · L4789
esm-SRH3OR6L.jsView file
127break; L128: baggage[keyPair.key] = keyPair.metadata ? { value: keyPair.value, metadata: keyPair.metadata } : { value: keyPair.value }; L129: count2++; ... L378: function getNumberFromEnv(key) { L379: const raw = process.env[key]; L380: if (raw == null || raw.trim() === "") { ... L4436: for (let i = 0; i < namespace.length; i++) { L4437: hash = (hash << 5) - hash + namespace.charCodeAt(i); L4438: hash |= 0; ... L4697: let m; L4698: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L4699: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31?
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

esm-SRH3OR6L.jsView on unpkg · L127
24683patternName = generic_password severity = medium line = 24683 matchedText = newUrl.p...d%";
Medium
Secret Pattern

Hardcoded password in esm-SRH3OR6L.js

esm-SRH3OR6L.jsView on unpkg · L24683
index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @vm0/cli@9.217.7 matchedIdentity = npm:QHZtMC9jbGk:9.217.7 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

index.jsView on unpkg
124}; L125: const bypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET; L126: if (bypassSecret) { ... L131: async function requestDeviceCode(apiUrl) { L132: const response = await fetch(`${apiUrl}/api/cli/auth/device`, { L133: method: "POST", L134: headers: buildHeaders(), L135: body: JSON.stringify({}) L136: }); ... L142: } L143: return response.json(); L144: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L124

Findings

17 Critical3 High5 Medium5 Low
CriticalCritical Secretdoctor-GB74EIN6.js
CriticalPrevious Version Dangerous Deltaindex.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
CriticalSecret Patterndoctor-GB74EIN6.js
HighSandbox Evasion Gated Capabilityindex.js
HighSecret Patterndoctor-GB74EIN6.js
HighSecret Patterndoctor-GB74EIN6.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceesm-SRH3OR6L.js
MediumStructural Risk Force Deep Review
MediumSecret Patternesm-SRH3OR6L.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License