registry  /  omnish  /  2.1.9

omnish@2.1.9

⚠ Under review

omnish — allowlisted inbox → your real shell (WhatsApp, Telegram, Discord, Slack, and 20+ channels). No AI.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 24 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 1.03 MB of source, external domains: 127.0.0.1, api.line.me, api.sgroup.qq.com, chat.zalo.me, deb.nodesource.com, evermeet.cx, github.com, johnvansickle.com, matrix.org, omnish.dev, open.feishu.cn, openapi.zalo.me, platform.omnish.dev, raw.githubusercontent.com, react.dev, registry.npmjs.org, tunnel.omnish.dev, unpkg.com, www.apple.com, www.w3.org

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/check-baileys-dep.mjs && node scripts/check-native-modules.mjs && node scripts/fix-node-pty-perms.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/check-baileys-dep.mjs && node scripts/check-native-modules.mjs && node scripts/fix-node-pty-perms.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
52`),x.info({host:n,port:o},"irc gateway connected"),a.push((l,c)=>{let d=`irc:${l}`,u={peerKey:d,text:c};t.onInbound(u,d,"irc")}),{sendText:async(l,c)=>{let d=l.startsWith("irc:")?l... L53: `)},stop:async()=>{s.end()}}}function _g(e){return!!(cd(e).host&&cd(e).nick)}var Fg=w(()=>{"use strict";ee();Y();ut()});function ME(e){return e.trim().replace(/^[@#]/,"")||null}var... L54: `)){let n=t.replace(/\D/g,"");if(n.length>=10)return n}return null}function DE(e=C()){return $E.env.SIGNAL_CLI_PATH?.trim()||L(e,"signal","cliPath")||"signal-cli"}function WE(e,t,n...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L52
45L46: `);i>Math.floor(t*.35)&&(r=o+i+2)}n.push(e.slice(o,r)),o=r}return n}var gE,ut=w(()=>{"use strict";gE=3500});function yE(e,t){let n={};for(let o of t.secretKeys){let r=t.envSecrets?... L47: Add to allowlist on this gateway host: ... L52: `),x.info({host:n,port:o},"irc gateway connected"),a.push((l,c)=>{let d=`irc:${l}`,u={peerKey:d,text:c};t.onInbound(u,d,"irc")}),{sendText:async(l,c)=>{let d=l.startsWith("irc:")?l... L53: `)},stop:async()=>{s.end()}}}function _g(e){return!!(cd(e).host&&cd(e).nick)}var Fg=w(()=>{"use strict";ee();Y();ut()});function ME(e){return e.trim().replace(/^[@#]/,"")||null}var... L54: `)){let n=t.replace(/\D/g,"");if(n.length>=10)return n}return null}function DE(e=C()){return $E.env.SIGNAL_CLI_PATH?.trim()||L(e,"signal","cliPath")||"signal-cli"}function WE(e,t,n...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L45
1#!/usr/bin/env node L2: var RP=Object.defineProperty;var w=(e,t)=>()=>(e&&(t=e(e=0)),t);var qi=(e,t)=>{for(var n in t)RP(e,n,{get:t[n],enumerable:!0})};import UP from"node:crypto";import Mu from"node:fs";... L3: `,{mode:384})}function ta(e){let t=_u(e);if(!t)throw new Error("Invalid entry. Use +E164, tg:<id>, or <channel>:<id>.");let n=C();if("kind"in t&&t.kind==="wa"){if(t.normalized==="*... L4: `,{mode:384})}function Bu(){bh||(rE(),bh=!0)}function te(e){Bu();let t=dr.get(e);return t||(t=vh(),dr.set(e,t)),t}function sa(e,t){Bu();let n=_n.resolve(t),o=te(e);o.cwd=n,dr.set(e... L5: `).replace(/^\n+/,"").trimEnd()}function Ju(e){return e==="global"?"Shared on this gateway (every chat unless this chat overrides the name).":"Stored for this chat only."}function ... ... L45: L46: `);i>Math.floor(t*.35)&&(r=o+i+2)}n.push(e.slice(o,r)),o=r}return n}var gE,ut=w(()=>{"use strict";gE=3500});function yE(e,t){let n={};for(let o of t.secretKeys){let r=t.envSecrets?... L47: Add to allowlist on this gateway host: ... L52: `),x.info({host:n,port:o},"irc gateway connected"),a.push((l,c)=>{let d=`irc:${l}`,u={peerKey:d,text:c};t.onInbound(u,d,"irc")}),{sendText:async(l,c)=>{let d=l.startsWith("
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1
45L46: `);i>Math.floor(t*.35)&&(r=o+i+2)}n.push(e.slice(o,r)),o=r}return n}var gE,ut=w(()=>{"use strict";gE=3500});function yE(e,t){let n={};for(let o of t.secretKeys){let r=t.envSecrets?... L47: Add to allowlist on this gateway host: ... L52: `),x.info({host:n,port:o},"irc gateway connected"),a.push((l,c)=>{let d=`irc:${l}`,u={peerKey:d,text:c};t.onInbound(u,d,"irc")}),{sendText:async(l,c)=>{let d=l.startsWith("irc:")?l... L53: `)},stop:async()=>{s.end()}}}function _g(e){return!!(cd(e).host&&cd(e).nick)}var Fg=w(()=>{"use strict";ee();Y();ut()});function ME(e){return e.trim().replace(/^[@#]/,"")||null}var... L54: `)){let n=t.replace(/\D/g,"");if(n.length>=10)return n}return null}function DE(e=C()){return $E.env.SIGNAL_CLI_PATH?.trim()||L(e,"signal","cliPath")||"signal-cli"}function WE(e,t,n... L55: `);for(let l of a)if(l.trim())try{let c=JSON.parse(l),d=c.envelope?.sourceNumber,u=Me(c.envelope?.dataMessage?.message??"");if(!d||!u)continue;let p=`signal:${d.replace(/\D/g,"")}`...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L45
56patternName = generic_password severity = medium line = 56 matchedText = `))if(s....in(`
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L56
1#!/usr/bin/env node L2: var RP=Object.defineProperty;var w=(e,t)=>()=>(e&&(t=e(e=0)),t);var qi=(e,t)=>{for(var n in t)RP(e,n,{get:t[n],enumerable:!0})};import UP from"node:crypto";import Mu from"node:fs";... L3: `,{mode:384})}function ta(e){let t=_u(e);if(!t)throw new Error("Invalid entry. Use +E164, tg:<id>, or <channel>:<id>.");let n=C();if("kind"in t&&t.kind==="wa"){if(t.normalized==="*... L4: `,{mode:384})}function Bu(){bh||(rE(),bh=!0)}function te(e){Bu();let t=dr.get(e);return t||(t=vh(),dr.set(e,t)),t}function sa(e,t){Bu();let n=_n.resolve(t),o=te(e);o.cwd=n,dr.set(e... L5: `).replace(/^\n+/,"").trimEnd()}function Ju(e){return e==="global"?"Shared on this gateway (every chat unless this chat overrides the name).":"Stored for this chat only."}function ... ... L45: L46: `);i>Math.floor(t*.35)&&(r=o+i+2)}n.push(e.slice(o,r)),o=r}return n}var gE,ut=w(()=>{"use strict";gE=3500});function yE(e,t){let n={};for(let o of t.secretKeys){let r=t.envSecrets?... L47: Add to allowlist on this gateway host: ... L52: `),x.info({host:n,port:o},"irc gateway connected"),a.push((l,c)=>{let d=`irc:${l}`,u={peerKey:d,text:c};t.onInbound(u,d,"irc")}),{sendText:async(l,c)=>{let d=l.startsWith("
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
265patternName = generic_password severity = medium line = 265 matchedText = /dl help...in(`
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L265
1#!/usr/bin/env node L2: var RP=Object.defineProperty;var w=(e,t)=>()=>(e&&(t=e(e=0)),t);var qi=(e,t)=>{for(var n in t)RP(e,n,{get:t[n],enumerable:!0})};import UP from"node:crypto";import Mu from"node:fs";... L3: `,{mode:384})}function ta(e){let t=_u(e);if(!t)throw new Error("Invalid entry. Use +E164, tg:<id>, or <channel>:<id>.");let n=C();if("kind"in t&&t.kind==="wa"){if(t.normalized==="*... L4: `,{mode:384})}function Bu(){bh||(rE(),bh=!0)}function te(e){Bu();let t=dr.get(e);return t||(t=vh(),dr.set(e,t)),t}function sa(e,t){Bu();let n=_n.resolve(t),o=te(e);o.cwd=n,dr.set(e... L5: `).replace(/^\n+/,"").trimEnd()}function Ju(e){return e==="global"?"Shared on this gateway (every chat unless this chat overrides the name).":"Stored for this chat only."}function ... ... L45: L46: `);i>Math.floor(t*.35)&&(r=o+i+2)}n.push(e.slice(o,r)),o=r}return n}var gE,ut=w(()=>{"use strict";gE=3500});function yE(e,t){let n={};for(let o of t.secretKeys){let r=t.envSecrets?... L47: Add to allowlist on this gateway host: ... L52: `),x.info({host:n,port:o},"irc gateway connected"),a.push((l,c)=>{let d=`irc:${l}`,u={peerKey:d,text:c};t.onInbound(u,d,"irc")}),{sendText:async(l,c)=>{let d=l.startsWith("
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L1
scripts/check-node-version.cjsView file
8L9: var nodeVersion = require("./node-version.cjs"); L10:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/check-node-version.cjsView on unpkg · L8
dist/omnish-cursor/uninstall.shView file
path = dist/omnish-cursor/uninstall.sh kind = build_helper sizeBytes = 2543 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/omnish-cursor/uninstall.shView on unpkg
dist/downloads/omnish-claude.tar.gzView file
path = dist/downloads/omnish-claude.tar.gz kind = high_entropy_blob sizeBytes = 10232 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/downloads/omnish-claude.tar.gzView on unpkg
path = dist/downloads/omnish-claude.tar.gz kind = compressed_blob sizeBytes = 10232 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/downloads/omnish-claude.tar.gzView on unpkg
scripts/node-version.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = omnish@2.1.8 matchedIdentity = npm:b21uaXNo:2.1.8 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/node-version.cjsView on unpkg

Findings

1 Critical7 High10 Medium6 Low
CriticalPrevious Version Dangerous Deltascripts/node-version.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCredential Exfiltrationdist/index.js
HighCommand Output Exfiltrationdist/index.js
HighShips High Entropy Blobdist/downloads/omnish-claude.tar.gz
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/index.js
MediumDynamic Requirescripts/check-node-version.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Build Helperdist/omnish-cursor/uninstall.sh
MediumShips Compressed Blobdist/downloads/omnish-claude.tar.gz
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings