registry  /  hyve-system  /  2026.7.0

hyve-system@2026.7.0

CLI do HYVE System — instala, autentica e mantém o framework atualizado

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 70.1 KB of source, external domains: lab.hyve.company, vobsudkxawzktwgilbae.supabase.co

Source & flagged code

6 flagged · loading source
dist/lab-client.jsView file
23patternName = supabase_service_key severity = critical line = 23 matchedText = const LA...ima)
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/lab-client.jsView on unpkg · L23
23patternName = supabase_service_key severity = critical line = 23 matchedText = const LA...ima)
Critical
Secret Pattern

Supabase service role key (JWT) in dist/lab-client.js

dist/lab-client.jsView on unpkg · L23
dist/framework-sync.jsView file
1import { execFile } from 'node:child_process'; L2: import { promisify } from 'node:util';
High
Child Process

Package source references child process execution.

dist/framework-sync.jsView on unpkg · L1
1import { execFile } from 'node:child_process'; L2: import { promisify } from 'node:util'; ... L13: */ L14: export const API_BASE = process.env.HYVE_LAB_API_URL ?? 'https://lab.hyve.company'; L15: /**
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/framework-sync.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = hyve-system@2026.7.1 matchedIdentity = npm:aHl2ZS1zeXN0ZW0:2026.7.1 similarity = 0.824 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/framework-sync.jsView on unpkg
dist/commands/login.jsView file
1import { spawn } from 'node:child_process'; L2: import { getLabClient } from '../lab-client.js'; ... L5: /** Base do app Next do Lab (endpoints /api/device/*). Override pra testar local. */ L6: const API_BASE = process.env.HYVE_LAB_API_URL ?? 'https://lab.hyve.company'; L7: /** Único caminho de login: device authorization flow (autoriza pelo navegador). */ ... L11: function openBrowser(url) { L12: const platform = process.platform; L13: const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open'; ... L32: sp.error(`O Lab respondeu ${res.status}. Tente de novo em instantes.`); L33: process.exitCode = 1; L34: return; L35: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/login.jsView on unpkg · L1

Findings

2 Critical5 High3 Medium5 Low
CriticalCritical Secretdist/lab-client.js
CriticalSecret Patterndist/lab-client.js
HighChild Processdist/framework-sync.js
HighShell
HighSame File Env Network Executiondist/framework-sync.js
HighSandbox Evasion Gated Capabilitydist/commands/login.js
HighPrevious Version Dangerous Deltadist/framework-sync.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings