registry  /  catalyst-cli  /  0.2.2

catalyst-cli@0.2.2

Version obsolète présentant une faille de fonctionnement jugée critique par l'équipe Catalyst. Merci de mettre à jour immédiatement vers la version 0.3.6 ou supérieure.

Build your project on Catalyst from the command line and pull the artifact (web/APK/IPA) back.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a CLI that, when invoked by the user, authenticates to Catalyst, uploads a selected project directory for remote builds, and downloads build artifacts.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs catalyst CLI commands such as login, check, upload, build, pull, or run.
Impact
Expected Catalyst project upload/build behavior; no install-time execution, credential harvesting, persistence, or unaligned exfiltration found.
Mechanism
User-invoked authenticated build/upload CLI
Rationale
Static inspection shows suspicious primitives are package-aligned and user-invoked for a build service CLI. There is no lifecycle execution, hidden payload, unconsented credential/file harvesting, or AI-agent control-surface mutation.
Evidence
package.jsonbin/catalyst.jssrc/index.jsREADME.md~/.catalyst/config.json$CATALYST_CONFIG_DIR/config.jsonuser-supplied project directoryuser-specified artifact output path
Network endpoints11
dev.bcat.website/catalyst/apiwww.bcat.website/auth/user//auth/api-keys/{token_id}/revoke//ci/preflight//ci/projects/{projectId}/upload-files//ci/projects/upload-local//ci/projects/{projectId}/build-actions//ci/projects/{projectId}/build-local//ci/builds/{buildId}/result/artifact.download_url

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares dependency on catalyst-cli@^0.1.0, an odd self-dependency but not executed by lifecycle hooks.
Evidence against
  • package.json has no install/preinstall/postinstall scripts; bin only maps catalyst to bin/catalyst.js.
  • bin/catalyst.js only imports src/index.js and runs main() when CLI is invoked.
  • src/index.js network calls are user-command aligned: login/whoami/logout/check/upload/build/pull against Catalyst API or returned artifact URL.
  • src/index.js stores only Catalyst session config at ~/.catalyst/config.json or CATALYST_CONFIG_DIR with chmod 0600 best effort.
  • Project file reading/zipping occurs only for user-supplied check/upload/run directories and skips common dependency/build/cache dirs.
  • child_process.spawn is limited to user-invoked browser opener and npm install --dry-run --ignore-scripts for --deep preflight.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 25.7 KB of source, external domains: 127.0.0.1, dev.bcat.website, www.bcat.website

Source & flagged code

1 flagged · loading source
src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = catalyst-cli@0.2.1 matchedIdentity = npm:Y2F0YWx5c3QtY2xp:0.2.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/index.jsView on unpkg

Findings

1 Critical2 Medium3 Low
CriticalPrevious Version Dangerous Deltasrc/index.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings