registry  /  auditx  /  0.1.13

auditx@0.1.13

One command. Every vulnerability. AI-ready markdown report.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious behavior, but the CLI exposes shell-injection risk through quoted string commands built from user/repo-controlled paths. Git hook mutation is explicit CLI functionality, not install-time persistence.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs auditx on a crafted path or with staged filenames; user explicitly runs `auditx hook install` for hooks.
Impact
Possible command execution if attacker-controlled paths reach shell-built scanner commands; hook installer modifies project hooks by user request.
Mechanism
shell command interpolation and explicit git-hook installer
Attack narrative
A malicious repository could potentially influence staged filenames consumed by the git hook path or a crafted target path so that auditx builds an unsafe shell command for tools such as jscpd, depcheck, lizard, license-checker, or typecheck. This is a serious command-injection vulnerability pattern, but source inspection did not show hidden install-time execution, credential theft, or attacker-controlled exfiltration.
Rationale
auditx@0.1.13 appears to be a legitimate scanner orchestrator with explicit network/tool installation behavior, but it contains real shell-command construction risks around paths. Treat as suspicious/warn for critical vulnerability rather than malicious malware.
Evidence
package.jsondist/auditx.jsdist/hook-W4INEOTH.jsREADME.md~/.auditx/bin~/.auditx/semgrep-home/settings.yml~/.auditx/config.jsonaudit-report.md.git/hooks/pre-commit.git/hooks/pre-push.git/hooks/post-merge.git/hooks/post-checkout.husky/pre-commit.husky/pre-push
Network endpoints3
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/semgrep/semgrep/releases/download/

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/auditx.js runs shell commands via exec/execSync for scanners and fixes.
  • dist/auditx.js interpolates targetPath/staged file names into shell strings for jscpd, depcheck, license-checker, typecheck, lizard.
  • dist/hook-W4INEOTH.js writes/chains git hooks when `auditx hook install` is invoked.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Network downloads are versioned scanner binaries from GitHub releases, aligned with a security-audit CLI.
  • AI API keys are prompted/stored locally and used only with explicit `--ai`/setup flows.
  • No credential harvesting or hidden exfiltration found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 84.4 KB of source, external domains: github.com, semgrep.dev, trivy.dev

Source & flagged code

5 flagged · loading source
dist/auditx.jsView file
matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.11 matchedIdentity = npm:YXVkaXR4:0.1.11 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/auditx.jsView on unpkg
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
High
Child Process

Package source references child process execution.

dist/auditx.jsView on unpkg · L8
823import { randomUUID as randomUUID2 } from "crypto"; L824: var execAsync = promisify7(exec); L825: async function runJscpd(targetPath, stagedFiles) {
High
Shell

Package source references shell execution.

dist/auditx.jsView on unpkg · L823
831const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L832: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L833: } catch (e) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/auditx.jsView on unpkg · L831
8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L17: return { L18: hasNodeJs: has("package.json") || has("package-lock.json") || has("yarn.lock") || has("pnpm-lock.yaml"), L19: hasPython: has("requirements.txt") || has("Pipfile") || has("pyproject.toml") || has("setup.py") || has("setup.cfg"), ... L31: try { L32: const pkg = JSON.parse(readFileSync(join(targetDir, "package.json"), "utf-8")); L33: return !!(pkg.dependencies?.react || pkg.devDependencies?.react); ... L100: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L101: import https from "https"; L102: import * as tar from "tar";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/auditx.jsView on unpkg · L8

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/auditx.js
HighChild Processdist/auditx.js
HighShelldist/auditx.js
HighRuntime Package Installdist/auditx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/auditx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings