registry  /  apify-cli  /  1.7.1

apify-cli@1.7.1

⚠ Under review

Apify command-line interface (CLI) helps you manage the Apify cloud platform and develop, build, and deploy Apify Actors.

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 281 KB of source, external domains: 1.1.1.1, 8.8.8.8, api.github.com, api.segment.io, apify.com, apify.github.io, console.apify.com, developers.openai.com, docs.anthropic.com, docs.apify.com, example.com, github.com, mcp.apify.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "console.log('We have an active developer community on Discord. You can find it on https://discord.gg/crawlee-apify-801163717915574323.');"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/_register-CNQJunZH.jsView file
93contains invisible/control Unicode U+200B (zero width space) `),stdout:!this.flags.json})}if(await finalizeRun({apifyClient:i,run:h,operation:`call`,json:this.flags.json,silent:this.flags.silent}),!this.flags.json&&this.flags.outputDataset&&h.status===N.SUCCEEDED){let e=h.defaultDatasetId,t,n=4;do{if
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/_register-CNQJunZH.jsView on unpkg · L93
1Trigger-reachable chain: manifest.bin -> dist/actor.js -> dist/_register-CNQJunZH.js L1: import e from"node:process";import t from"chalk";import n from"indent-string";import r from"widest-line";import i from"wrap-ansi";import{inspect as a,parseArgs as s,promisify as c}... L2: `)[0]}`,``)}pushDescription(e){if(!this.command.description)return;e.push(t.bold(`DESCRIPTION`));let r=n(i(this.command.description,getMaxLineWidth()-2,{trim:!1}),2);e.push(r),e.pu...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/_register-CNQJunZH.jsView on unpkg · L1
1import e from"node:process";import t from"chalk";import n from"indent-string";import r from"widest-line";import i from"wrap-ansi";import{inspect as a,parseArgs as s,promisify as c}... L2: `)[0]}`,``)}pushDescription(e){if(!this.command.description)return;e.push(t.bold(`DESCRIPTION`));let r=n(i(this.command.description,getMaxLineWidth()-2,{trim:!1}),2);e.push(r),e.pu...
High
Child Process

Package source references child process execution.

dist/_register-CNQJunZH.jsView on unpkg · L1
1import e from"node:process";import t from"chalk";import n from"indent-string";import r from"widest-line";import i from"wrap-ansi";import{inspect as a,parseArgs as s,promisify as c}... L2: `)[0]}`,``)}pushDescription(e){if(!this.command.description)return;e.push(t.bold(`DESCRIPTION`));let r=n(i(this.command.description,getMaxLineWidth()-2,{trim:!1}),2);e.push(r),e.pu...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/_register-CNQJunZH.jsView on unpkg · L1
1import e from"node:process";import t from"chalk";import n from"indent-string";import r from"widest-line";import i from"wrap-ansi";import{inspect as a,parseArgs as s,promisify as c}... L2: `)[0]}`,``)}pushDescription(e){if(!this.command.description)return;e.push(t.bold(`DESCRIPTION`));let r=n(i(this.command.description,getMaxLineWidth()-2,{trim:!1}),2);e.push(r),e.pu...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/_register-CNQJunZH.jsView on unpkg · L1
1import e from"node:process";import t from"chalk";import n from"indent-string";import r from"widest-line";import i from"wrap-ansi";import{inspect as a,parseArgs as s,promisify as c}... L2: `)[0]}`,``)}pushDescription(e){if(!this.command.description)return;e.push(t.bold(`DESCRIPTION`));let r=n(i(this.command.description,getMaxLineWidth()-2,{trim:!1}),2);e.push(r),e.pu... ... L25: `).map(e=>` ${e}`).join(` L26: `)}`):n.push(`To solve this, provide the flag like this: --${e.name}=<value>`)):e.expectsValue?n.push(`expects a value`):n.push(`does not take an argument`),n.map(e=>t.gray(e)).joi... L27: `,i+=t.gray(`Did you mean: ${r.map(e=>t.whiteBright(e)).join(`, `)}?`)),error({message:i}),e.exit(1)}async function runVersionCheck(e,t){let n=J.get(`upgrade`);if([n.name,...n.alia... ... L31: `).filter(Boolean);if(e.length>0){let t=Sn().add(e);gitIgnoreFilter=e=>e.filter(e=>!t.ignores(e))}}catch{gitIgnoreFilter=await getGitignoreFallbackFilter(n)}let s=await Ze([`*`,`**... L32: ]HH:mm:ss`),Dn=new Le(`YYYY-MM-DD`),On=new Pe,K=new Pe({[Ie.Day]:{DEFAULT:`d`},[Ie.Hour]:{DEFAULT:`h`},[Ie.Minute]:{DEFAULT:`m`},[Ie.Month]:{DEFAULT:`M`},[Ie.Second]:{DEFAULT:`s`},... L33: `);function createAnony
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/_register-CNQJunZH.jsView on unpkg · L1

Findings

3 Critical4 High4 Medium4 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalTrojan Source Unicodedist/_register-CNQJunZH.js
CriticalTrigger Reachable Dangerous Capabilitydist/_register-CNQJunZH.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/_register-CNQJunZH.js
HighSame File Env Network Executiondist/_register-CNQJunZH.js
HighCommand Output Exfiltrationdist/_register-CNQJunZH.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/_register-CNQJunZH.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings