registry  /  @wraps.dev/cli  /  2.26.1

@wraps.dev/cli@2.26.1

⚠ Under review

Deploy email, SMS, and CDN infrastructure to your AWS account with one command. Sets up SES with DKIM/SPF/DMARC, event processing, and history automatically.

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 25 file(s), 4.16 MB of source, external domains: api.cloudflare.com, api.github.com, api.vercel.com, api.wraps.dev, app.example.com, app.wraps.dev, app.yourcompany.com, aws.amazon.com, awscli.amazonaws.com, cbl.abuseat.org, check.spamhaus.org, console.aws.amazon.com, console.neon.tech, dash.cloudflare.com, dashboard.wraps.dev, data.iana.org, docs.aws.amazon.com, example.com, fb.me, fonts.googleapis.com, fonts.gstatic.com, get.pulumi.com, github.com, hooks.slack.com, mths.be, nodejs.org, oidc.vercel.com, radix-ui.com, react-native.canny.io, react.dev, react.email, twitter.com, vercel.com, wraps.dev, www.barracudacentral.org, www.pulumi.com, www.sorbs.net, www.spamcop.net, www.w3.org, your-app.com, yourapp.com

Source & flagged code

11 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @wraps.dev/cli@2.25.1 matchedIdentity = npm:QHdyYXBzLmRldi9jbGk:2.25.1 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
69// src/utils/shared/aws-detection.ts L70: import { execSync } from "child_process"; L71: import { existsSync, readdirSync, readFileSync } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L69
6864try { L6865: await execAsync("pulumi version"); L6866: return true;
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L6864
14import { fileURLToPath } from "url"; L15: var getFilename, getDirname, __dirname; L16: var init_esm_shims = __esm({ ... L26: function isCI() { L27: if (process.env.CI === "true" || process.env.CI === "1") { L28: return true; ... L69: // src/utils/shared/aws-detection.ts L70: import { execSync } from "child_process"; L71: import { existsSync, readdirSync, readFileSync } from "fs"; ... L135: const sts = new STSClient({ region: "us-east-1" }); L136: const identity = await sts.send(new GetCallerIdentityCommand({})); L137: return identity.Account || null;
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L14
14import { fileURLToPath } from "url"; L15: var getFilename, getDirname, __dirname; L16: var init_esm_shims = __esm({ ... L26: function isCI() { L27: if (process.env.CI === "true" || process.env.CI === "1") { L28: return true; ... L69: // src/utils/shared/aws-detection.ts L70: import { execSync } from "child_process"; L71: import { existsSync, readdirSync, readFileSync } from "fs"; ... L135: const sts = new STSClient({ region: "us-east-1" }); L136: const identity = await sts.send(new GetCallerIdentityCommand({})); L137: return identity.Account || null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L14
14Cross-file remote execution chain: dist/cli.js spawns dist/lambda/agent-enforcer/index.js; helper contains network access plus dynamic code execution. L14: import { fileURLToPath } from "url"; L15: var getFilename, getDirname, __dirname; L16: var init_esm_shims = __esm({ ... L26: function isCI() { L27: if (process.env.CI === "true" || process.env.CI === "1") { L28: return true; ... L69: // src/utils/shared/aws-detection.ts L70: import { execSync } from "child_process"; L71: import { existsSync, readdirSync, readFileSync } from "fs"; ... L135: const sts = new STSClient({ region: "us-east-1" }); L136: const identity = await sts.send(new GetCallerIdentityCommand({})); L137: return identity.Account || null;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L14
dist/lambda/agent-enforcer/index.jsView file
1"use strict";var Ys=Object.create;var Fe=Object.defineProperty;var Xs=Object.getOwnPropertyDescriptor;var ei=Object.getOwnPropertyNames;var ti=Object.getPrototypeOf,ri=Object.proto... L2: If you are using React Native, this API is not yet supported, see: https://react-native.canny.io/feature-requests/p/fetch-streaming-body`);return o.stream()};return Object.assign(t... L3: See https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/node-configuring-maxsockets.html
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/lambda/agent-enforcer/index.jsView on unpkg · L1
dist/console/assets/avif_enc_mt-DFoVXd45.wasmView file
path = dist/console/assets/avif_enc_mt-DFoVXd45.wasm kind = wasm_module sizeBytes = 3534665 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/console/assets/avif_enc_mt-DFoVXd45.wasmView on unpkg
dist/api-lambda.zipView file
path = dist/api-lambda.zip kind = high_entropy_blob sizeBytes = 3161818 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/api-lambda.zipView on unpkg
path = dist/api-lambda.zip kind = compressed_blob sizeBytes = 3161818 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/api-lambda.zipView on unpkg
path = dist/api-lambda.zip kind = nested_archive_needs_inspection sizeBytes = 3161818 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/api-lambda.zipView on unpkg

Findings

1 Critical7 High7 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCredential Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighCross File Remote Execution Contextdist/cli.js
HighObfuscated
HighShips High Entropy Blobdist/api-lambda.zip
MediumDynamic Requiredist/lambda/agent-enforcer/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/console/assets/avif_enc_mt-DFoVXd45.wasm
MediumShips Compressed Blobdist/api-lambda.zip
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectiondist/api-lambda.zip
LowCopyleft License