registry  /  cicy-desktop  /  2.1.223

cicy-desktop@2.1.223

⚠ Under review

CiCy - AI-powered operating system browser

Static Scan Results

scanned 35m ago · by rust-scanner

Static analysis flagged 19 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 126 file(s), 1.77 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.github.com, api.ipify.org, api.myip.com, cdn.npmmirror.com, chatgpt.com, cicy-1372193042-cn.oss-cn-shanghai.aliyuncs.com, cicy-1372193042.cos.ap-shanghai.myqcloud.com, cicy-ai.com, desktop.docker.com, example.com, g-electron.cicy.de5.net, gateway.cicy-ai.com, gcp-8101.cicy.de5.net, gemini.google.com, ghproxy.net, github.com, ifconfig.me, ip-api.com, ip138.com, ipinfo.io, mirrors.tuna.tsinghua.edu.cn, mirrors.ustc.edu.cn, nodejs.org, raw.githubusercontent.com, react.dev, registry.npmjs.org, registry.npmmirror.com, wslstorestorage.blob.core.windows.net, www.apple.com, www.baidu.com, www.docker.com, www.douyin.com, www.google.com, www.gstatic.com, www.w3.org

Source & flagged code

10 flagged · loading source
scripts/sync-runtime-deps.cjsView file
10L11: const { execSync } = require("child_process"); L12: const fs = require("fs");
High
Child Process

Package source references child process execution.

scripts/sync-runtime-deps.cjsView on unpkg · L10
src/tools/file-tools.jsView file
5L6: const FILES_DIR = path.join(require("os").homedir(), "cicy-files"); L7: ... L97: "file_upload", L98: "上传文件到服务器(base64编码),返回可访问的 URL", L99: z.object({ ... L119: const baseUrl = L120: process.env.CICY_BASE_URL || `http://localhost:${process.env.PORT || 8101}`; L121: const url = `${baseUrl}/files/${uniqueFilename}`;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/tools/file-tools.jsView on unpkg · L5
src/sidecar/docker.jsView file
7// locally it's loaded from R2 (CN-friendly, no Docker Hub pull): L8: // https://r2.deepfetch.de5.net/docker/cicy-code-latest.tar.gz L9: // L10: // The container maps :8008 and persists ~/cicy-ai in a named volume. L11: const { execFile, execFileSync, spawn } = require("child_process"); L12: const https = require("https"); ... L17: L18: const IMAGE = process.env.CICY_DOCKER_IMAGE || "cicybot/cicy-code:latest"; L19: // Image tarball on Aliyun OSS (oss-cn-shanghai, public-read) — CN-domestic and
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/sidecar/docker.jsView on unpkg · L7
7// locally it's loaded from R2 (CN-friendly, no Docker Hub pull): L8: // https://r2.deepfetch.de5.net/docker/cicy-code-latest.tar.gz L9: // L10: // The container maps :8008 and persists ~/cicy-ai in a named volume. L11: const { execFile, execFileSync, spawn } = require("child_process"); L12: const https = require("https"); ... L17: L18: const IMAGE = process.env.CICY_DOCKER_IMAGE || "cicybot/cicy-code:latest"; L19: // Image tarball on Aliyun OSS (oss-cn-shanghai, public-read) — CN-domestic and ... L56: return new Promise((resolve, reject) => { L57: execFile(dockerBin(), args, { timeout, windowsHide: true }, (err, stdout, stderr) => { L58: if (err) { err.stdout = String(stdout || ""); err.stderr = String(stderr || ""); return reject(err); }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/sidecar/docker.jsView on unpkg · L7
src/sidecar/colima-docker.jsView file
23L24: const { execFile, spawn } = require("child_process"); L25: const path = require("path"); ... L30: // 专用 Colima profile —— 绝不动用户自己的默认 colima/docker。 L31: const PROFILE = process.env.CICY_COLIMA_PROFILE || "cicy-code"; L32: // Colima 给每个 profile 建一个 docker context,名字是 `colima-<profile>`。所有 ... L52: // ubuntu-24.04 + docker 的 cloudimg 即可,和 colima 版本解耦(用稳定 key,不跟版本号)。 L53: const OSS_BASE = process.env.CICY_OSS_BASE || "https://cicy-1372193042-cn.oss-cn-shanghai.aliyuncs.com"; L54: const BASE_IMAGE_URL = process.env.CICY_COLIMA_BASE_URL || L55: `${OSS_BASE}/colima-base/ubuntu-2404-${ARCH_TAG}-docker.raw.gz`; L56: function baseImagePath() { return path.join(os.homedir(), "cicy-ai", "colima", `ubuntu-2404-${ARCH_TAG}-docker.raw.gz`); } L57:
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/sidecar/colima-docker.jsView on unpkg · L23
23Trigger-reachable chain: manifest.main -> src/main.js -> src/backends/sidecar-ipc.js -> src/sidecar/colima-docker.js L23: L24: const { execFile, spawn } = require("child_process"); L25: const path = require("path"); ... L30: // 专用 Colima profile —— 绝不动用户自己的默认 colima/docker。 L31: const PROFILE = process.env.CICY_COLIMA_PROFILE || "cicy-code"; L32: // Colima 给每个 profile 建一个 docker context,名字是 `colima-<profile>`。所有 ... L52: // ubuntu-24.04 + docker 的 cloudimg 即可,和 colima 版本解耦(用稳定 key,不跟版本号)。 L53: const OSS_BASE = process.env.CICY_OSS_BASE || "https://cicy-1372193042-cn.oss-cn-shanghai.aliyuncs.com"; L54: const BASE_IMAGE_URL = process.env.CICY_COLIMA_BASE_URL || L55: `${OSS_BASE}/colima-base/ubuntu-2404-${ARCH_TAG}-docker.raw.gz`; L56: function baseImagePath() { return path.join(os.homedir(), "cicy-ai", "colima", `ubuntu-2404-${ARCH_TAG}-docker.raw.gz`); } L57:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/sidecar/colima-docker.jsView on unpkg · L23
src/tools/system-tools.jsView file
1const { z } = require("zod"); L2: const { execSync } = require("child_process"); L3: ... L16: L17: if (process.platform === "linux") { L18: // 使用 wmctrl 获取窗口信息 ... L55: const baseUrl = L56: process.env.CICY_BASE_URL || `http://localhost:${process.env.PORT || 8101}`; L57: const thumbUrl = `${baseUrl}/files/screenshot/sys_win_${winId.replace(/^0x/, "")}.jpeg`; ... L104: const screenshotDir = path.join( L105: require("os").homedir(), L106: "cicy-files",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/tools/system-tools.jsView on unpkg · L1
scripts/build-homepage.cjsView file
24console.log(`[build-homepage] $ ${cmd} (in ${path.relative(ROOT, cwd) || "."})`); L25: execSync(cmd, { cwd, stdio: "inherit" }); L26: } ... L29: if (!fs.existsSync(path.join(RENDER, "node_modules"))) { L30: run("npm install --no-audit --no-fund", RENDER); L31: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/build-homepage.cjsView on unpkg · L24
copy-to-desktop.shView file
path = copy-to-desktop.sh kind = build_helper sizeBytes = 669 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

copy-to-desktop.shView on unpkg
workers/render/src/fonts/NotoMonoSC-Regular.woff2View file
path = [redacted]-Regular.woff2 kind = high_entropy_blob sizeBytes = 8246904 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

workers/render/src/fonts/NotoMonoSC-Regular.woff2View on unpkg

Findings

2 Critical6 High5 Medium6 Low
CriticalPersistence Backdoorsrc/sidecar/colima-docker.js
CriticalTrigger Reachable Dangerous Capabilitysrc/sidecar/colima-docker.js
HighChild Processscripts/sync-runtime-deps.cjs
HighShell
HighSame File Env Network Executionsrc/sidecar/docker.js
HighSandbox Evasion Gated Capabilitysrc/tools/system-tools.js
HighRuntime Package Installscripts/build-homepage.cjs
HighShips High Entropy Blobworkers/render/src/fonts/NotoMonoSC-Regular.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/sidecar/docker.js
MediumShips Build Helpercopy-to-desktop.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/tools/file-tools.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings