registry  /  @wendongfly/myhi  /  1.3.86

@wendongfly/myhi@1.3.86

⚠ Under review

Web-based terminal sharing with chat UI — control your terminal from phone via LAN/Tailscale

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 117 file(s), 4.35 MB of source, external domains: dub.sh, example.org, feross.org, github.com, mths.be, registry.npmjs.org, socket.io, www.w3.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join(__dirname,'bin','myhi.js'),0o755)}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join(__dirname,'bin','myhi.js'),0o755)}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/myhi.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { fileURLToPath } from 'url';
High
Child Process

Package source references child process execution.

bin/myhi.jsView on unpkg · L1
355// 确保 OpenSSH Server 已启动 L356: run('powershell -Command "Start-Service sshd 2>$null; Set-Service -Name sshd -StartupType Automatic 2>$null"', { silent: true, ignoreError: true }); L357:
High
Shell

Package source references shell execution.

bin/myhi.jsView on unpkg · L355
1Cross-file remote execution chain: bin/myhi.js spawns dist/index.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { fileURLToPath } from 'url'; ... L8: const __filename = fileURLToPath(import.meta.url); L9: const __dirname = dirname(__filename); L10: ... L15: if ((args[i] === '-p' || args[i] === '--port') && args[i + 1]) { L16: process.env.PORT = args[i + 1]; L17: args.splice(i, 2); i--; ... L61: if (serverPid && isRunning(serverPid)) { L62: if (process.platform === 'win32') { L63: try { require('child_process').execSync(`taskkill /PID ${serverPid} /F /T`, { stdio: 'pipe', timeout: 5000 }); } catch {}
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/myhi.jsView on unpkg · L1
1Detached bundled service listener: bin/myhi.js spawns dist/index.js; helper exposes a broad-bound HTTP listener. L1: #!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { fileURLToPath } from 'url'; ... L8: const __filename = fileURLToPath(import.meta.url); L9: const __dirname = dirname(__filename); L10: ... L15: if ((args[i] === '-p' || args[i] === '--port') && args[i + 1]) { L16: process.env.PORT = args[i + 1]; L17: args.splice(i, 2); i--; ... L61: if (serverPid && isRunning(serverPid)) { L62: if (process.platform === 'win32') { L63: try { require('child_process').execSync(`taskkill /PID ${serverPid} /F /T`, { stdio: 'pipe', timeout: 5000 }); } catch {}
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

bin/myhi.jsView on unpkg · L1
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { fileURLToPath } from 'url'; ... L8: const __filename = fileURLToPath(import.meta.url); L9: const __dirname = dirname(__filename); L10: ... L15: if ((args[i] === '-p' || args[i] === '--port') && args[i + 1]) { L16: process.env.PORT = args[i + 1]; L17: args.splice(i, 2); i--; ... L61: if (serverPid && isRunning(serverPid)) { L62: if (process.platform === 'win32') { L63: try { require('child_process').execSync(`taskkill /PID ${serverPid} /F /T`, { stdio: 'pipe', timeout: 5000 }); } catch {}
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/myhi.jsView on unpkg · L1
dist/index.jsView file
81*/ L82: var i=n(6928).relative;e.exports=depd;var a=process.cwd();function containsNamespace(e,t){var n=e.split(/[ ,]+/);var i=String(t).toLowerCase();for(var a=0;a<n.length;a++){var s=n[a... L83: /*!
High
Eval

Package source references dynamic code evaluation.

dist/index.jsView on unpkg · L81
75*/ L76: t.parse=parse;t.serialize=serialize;var n=Object.prototype.toString;var i=Object.prototype.hasOwnProperty;var a=/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;var s=/^("?)[\u0021\u0023-\u002B\u0... L77: /*! ... L81: */ L82: var i=n(6928).relative;e.exports=depd;var a=process.cwd();function containsNamespace(e,t){var n=e.split(/[ ,]+/);var i=String(t).toLowerCase();for(var a=0;a<n.length;a++){var s=n[a... L83: /*!
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L75
9/*! L10: * base64id v0.1.0 L11: */ ... L23: */ L24: var i=n(8024);var a=n(2194);var s=n(949);var o=n(1748);var c=n(5698);var l=n(6367);var u=n(3106);e.exports=read;function read(e,t,n,c,u,p){var d;var h=p;var m;e._body=true;var g=h.... L25: /*! ... L75: */ L76: t.parse=parse;t.serialize=serialize;var n=Object.prototype.toString;var i=Object.prototype.hasOwnProperty;var a=/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;var s=/^("?)[\u0021\u0023-\u002B\u0... L77: /*! ... L81: */ L82: var i=n(6928).relative;e.exports=depd;var a=process.cwd();function containsNamespace(e,t){var n=e.split(/[ ,]+/);var i=String(t).toLowerCase();for(var a=0;a<n.length;a++){var s=n[a... L83: /*!
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L9
dist/index.min.jsView file
53* MIT Licensed L54: */_.parse=o,_.serialize=e;var f=Object.prototype.toString,s=Object.prototype.hasOwnProperty,t=/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,c=/^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005... L55: `).map((function(a){return a.trim()})).join(" ")},_.formatters.O=function(p){return this.inspectOpts.colors=this.useColors,t.inspect(p,this.inspectOpts)};function o(p){var a=this.n... ... L65: at `+C[E].toString();return O}return I&&(O+=" at "+g(I)),O}function h(k,I,C){var A="\x1B[36;1m"+this._namespace+"\x1B[22;39m \x1B[33;1mdeprecated\x1B[22;39m \x1B[0m"+k+"\x1B[39m";i... L66: \x1B[36mat `+C[O].toString()+"\x1B[39m";return A}return I&&(A+=" \x1B[36m"+g(I)+"\x1B[39m"),A}function g(k){return s(t,k[0])+":"+k[1]+":"+k[2]}function b(){var k=Error.stackTraceLi... L67: return function (`+C+`) {log.call(deprecate, message, site)
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.min.jsView on unpkg · L53
bin/daemon.jsView file
126? 'npm.cmd install -g @wendongfly/myhi@latest' L127: : 'npm install -g @wendongfly/myhi@latest 2>&1 || sudo npm install -g @wendongfly/myhi@latest 2>&1'; L128: const output = execSync(cmd, { timeout: 120000, encoding: 'utf8' }); L129: log('升级完成: ' + output.trim().split('\n').pop());
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/daemon.jsView on unpkg · L126

Findings

1 Critical9 High6 Medium5 Low
CriticalSame File Env Network Executiondist/index.min.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/myhi.js
HighShellbin/myhi.js
HighEvaldist/index.js
HighCommand Output Exfiltrationdist/index.js
HighObfuscated Payload Loaderdist/index.js
HighCross File Remote Execution Contextbin/myhi.js
HighSpawned Bundled Service Listenerbin/myhi.js
HighRuntime Package Installbin/daemon.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/myhi.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings