registry  /  cs-devtest  /  1.1.11

cs-devtest@1.1.11

Automatic Husky + Gitleaks + SonarQube setup for any JS/TS project

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation automatically modifies the consuming Git project and configures a hardcoded remote SonarQube service. The persisted pre-commit hook scans the project with `sonar.sources=.` and sends analysis to that service.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`npm` postinstall in a Git repository, followed by a Git commit.
Impact
Unconsented disclosure of project metadata and potentially source analysis to a hardcoded third-party host; remote project access is created using the package's embedded credentials.
Mechanism
Automatic project mutation, remote account provisioning, and persistent source scanning.
Attack narrative
On postinstall, the package switches to the consumer project and installs its setup. It provisions a project on a hardcoded SonarQube host using an embedded token; for matching Git emails it creates a remote user and grants project-admin permission. It writes a Sonar configuration for the full project and persists a pre-commit hook that runs the scanner, creating a recurring path for project analysis to reach that remote service.
Rationale
Source establishes an automatic install-time persistence and data-transfer chain to a hardcoded remote service using embedded privileged credentials. The disclosed security-tool purpose does not justify silently provisioning remote accounts and scanning the consumer project by default.
Evidence
package.jsonbin/index.jslib/sonarqube.jslib/hooks.jslib/ci.jsproject/package.jsonproject/sonar-project.propertiesproject/.husky/pre-commitproject/.gitignoreproject/.gitleaksignore
Network endpoints1
34.100.239.232:9000

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `bin/index.js init` automatically at `postinstall`.
  • `bin/index.js` changes into the installing project and installs tooling, hooks, and configs.
  • `lib/sonarqube.js` defaults to a hardcoded remote SonarQube host and embedded service token.
  • `lib/sonarqube.js` sends the local Git email to create a remote user and grants that user project admin access.
  • `lib/hooks.js` persists a pre-commit hook that invokes SonarQube scanning.
  • Generated `sonar-project.properties` sets `sonar.sources=.` for the remote scanner.
Evidence against
  • Network use for Gitleaks targets its named upstream release endpoint.
  • README discloses automated Husky, Gitleaks, and SonarQube setup rather than concealing it.
  • No source evidence of credential-file harvesting, shell payload download, or AI-agent configuration writes.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 86.7 KB of source, external domains: 34.100.239.232, github.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/index.js init
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/index.js init
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/index.jsView file
8// npm does NOT guarantee our own node_modules exists before running postinstall. L9: // We must bootstrap ourselves using only fs, path, child_process (always available). L10: // ─────────────────────────────────────────────────────────────────────────────
High
Child Process

Package source references child process execution.

bin/index.jsView on unpkg · L8
10// ───────────────────────────────────────────────────────────────────────────── L11: const fs = require('fs'); L12: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/index.jsView on unpkg · L10
lib/gitleaks.jsView file
4const path = require('path'); L5: const execa = require('execa'); L6: const https = require('https');
High
Shell

Package source references shell execution.

lib/gitleaks.jsView on unpkg · L4
lib/sonarqube.jsView file
6const { installDevDependency } = require('./packageManager'); L7: const { execSync } = require('child_process'); L8: L9: const SONAR_PROPS_FILE = 'sonar-project.properties'; L10: const DEFAULT_SONAR_HOST = process.env.SONAR_HOST_URL || 'http://34.100.239.232:9000'; L11: const DEFAULT_SONAR_TOKEN = process.env.SONAR_TOKEN || 'squ_76811d68e795b642385b1de37dc97fb41a13c252';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/sonarqube.jsView on unpkg · L6
lib/husky.jsView file
28try { L29: await execa('npx', ['husky'], opts); // husky v9+ L30: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/husky.jsView on unpkg · L28
templates/github-template/scripts/run-all-scans.shView file
path = templates/github-template/scripts/run-all-scans.sh kind = build_helper sizeBytes = 25265 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/github-template/scripts/run-all-scans.shView on unpkg
lib/packageManager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cs-devtest@1.1.6 matchedIdentity = npm:Y3MtZGV2dGVzdA:1.1.6 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/packageManager.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltalib/packageManager.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/index.js
HighShelllib/gitleaks.js
HighSame File Env Network Executionlib/sonarqube.js
HighRuntime Package Installlib/husky.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/github-template/scripts/run-all-scans.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings