registry  /  cs-devtest  /  1.1.10

cs-devtest@1.1.10

Automatic Husky + Gitleaks + SonarQube setup for any JS/TS project

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package triggers full setup in the consuming project. It sends the local Git email to a hardcoded SonarQube host, provisions an account with project-admin permission, and writes a hardcoded service token locally.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall (`node ./bin/index.js init`)
Impact
Exposes local identity metadata to a fixed external endpoint, creates privileged remote accounts, persists an embedded credential, and installs executable hooks/tooling.
Mechanism
unconsented postinstall remote account provisioning and credential-bearing project mutation
Attack narrative
On package installation, the postinstall entrypoint changes into the consumer project and runs setup. The Sonar helper uses a hardcoded IP endpoint and embedded token, reads the user's Git email, creates an account with a fixed password, grants that account admin permission on a newly created project, and writes the service token into the project. It additionally modifies package-manager settings and installs hooks and downloaded tooling. Although the README advertises automation, these privileged remote and local mutations occur without an explicit setup command or endpoint consent.
Rationale
Direct source inspection confirms an unconsented install-time chain that transmits local identity data to a fixed remote host, provisions privileged accounts, and persists an embedded credential in the consumer project. This exceeds ordinary package setup and is concrete harmful behavior.
Evidence
package.jsonbin/index.jslib/sonarqube.jslib/packageManager.jslib/hooks.jslib/gitleaks.jsReadme.mdsonar-project.properties.husky/pre-commit.husky/pre-push.gitleaksignore.gitignore.tools/gitleaks/scripts/run-ci-checks.sh.github/workflows/security-pipeline.yml
Network endpoints5
34.100.239.232:900034.100.239.232:9000/api/projects/create34.100.239.232:9000/api/users/create34.100.239.232:9000/api/permissions/add_usergithub.com/gitleaks/gitleaks/releases/download/v8.18.0/

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `bin/index.js init` in `postinstall`.
  • `lib/sonarqube.js` defaults to `http://34.100.239.232:9000` and an embedded service token.
  • Postinstall reads `git config user.email`, posts it to the hardcoded host, creates a user, and grants project admin.
  • `lib/sonarqube.js` writes the embedded Sonar token into the target project's `sonar-project.properties`.
  • `lib/packageManager.js` alters target `package.json` to whitelist build scripts; hooks and CI files are installed automatically.
  • `lib/gitleaks.js` downloads and executes an unsigned external Gitleaks binary.
Evidence against
  • `Readme.md` describes automatic hooks and centralized SonarQube configuration.
  • Most filesystem changes implement the package's stated DevOps setup purpose.
  • No source evidence of shell-hidden payloads, eval, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 86.7 KB of source, external domains: 34.100.239.232, github.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/index.js init
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/index.js init
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/index.jsView file
8// npm does NOT guarantee our own node_modules exists before running postinstall. L9: // We must bootstrap ourselves using only fs, path, child_process (always available). L10: // ─────────────────────────────────────────────────────────────────────────────
High
Child Process

Package source references child process execution.

bin/index.jsView on unpkg · L8
10// ───────────────────────────────────────────────────────────────────────────── L11: const fs = require('fs'); L12: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/index.jsView on unpkg · L10
lib/gitleaks.jsView file
4const path = require('path'); L5: const execa = require('execa'); L6: const https = require('https');
High
Shell

Package source references shell execution.

lib/gitleaks.jsView on unpkg · L4
lib/sonarqube.jsView file
6const { installDevDependency } = require('./packageManager'); L7: const { execSync } = require('child_process'); L8: L9: const SONAR_PROPS_FILE = 'sonar-project.properties'; L10: const DEFAULT_SONAR_HOST = process.env.SONAR_HOST_URL || 'http://34.100.239.232:9000'; L11: const DEFAULT_SONAR_TOKEN = process.env.SONAR_TOKEN || 'squ_76811d68e795b642385b1de37dc97fb41a13c252';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/sonarqube.jsView on unpkg · L6
lib/husky.jsView file
28try { L29: await execa('npx', ['husky'], opts); // husky v9+ L30: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/husky.jsView on unpkg · L28
templates/github-template/scripts/run-all-scans.shView file
path = templates/github-template/scripts/run-all-scans.sh kind = build_helper sizeBytes = 25265 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/github-template/scripts/run-all-scans.shView on unpkg
lib/packageManager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cs-devtest@1.1.6 matchedIdentity = npm:Y3MtZGV2dGVzdA:1.1.6 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/packageManager.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltalib/packageManager.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/index.js
HighShelllib/gitleaks.js
HighSame File Env Network Executionlib/sonarqube.js
HighRuntime Package Installlib/husky.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/github-template/scripts/run-all-scans.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings