registry  /  rastack  /  0.0.40

rastack@0.0.40

AI Security Review

scanned 13h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time behavior. The package is a user-invoked CLI that can generate deployment files, run configured CI commands, and update itself only through explicit subcommands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `rastack init`, `rastack ci`, `rastack update`, or other CLI subcommands
Impact
Can modify the current project or deploy configured AWS resources when explicitly requested; no credential harvesting, covert exfiltration, or AI-agent control-surface mutation found.
Mechanism
User-invoked code generation, deployment orchestration, and self-update
Rationale
Static hints map to normal CLI behavior: user-supplied subcommands invoke local tools, deployment configuration, or package-aligned updates. Source inspection found no lifecycle execution, secret collection, exfiltration endpoint, stealth persistence, destructive payload, or foreign AI-agent configuration mutation.
Evidence
package.jsondist/rastack.jssrc/rastack-update.tssrc/rastack-init.tssrc/rastack-ci.tssrc/deploy/io.tssrc/deploy/ci.tsprovider/wasm.ts.rastack/deploy.json.github/workflows/ci.yml.github/workflows/deploy-backend.yml

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall/prepare hook.
    • `dist/rastack.js` dispatches only explicit CLI subcommands.
    • `src/rastack-update.ts` self-updates only when `rastack update` is invoked.
    • `src/rastack-init.ts` writes deployment files only for explicit `rastack init`.
    • `src/rastack-ci.ts` executes developer-configured CI steps only for explicit `rastack ci`.
    • `provider/wasm.ts` dynamically imports the package's own WASM module.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 174 file(s), 744 KB of source, external domains: 127.0.0.1, cli.github.com, www.w3.org

    Source & flagged code

    5 flagged · loading source
    dist/deploy/io.jsView file
    56exports.withPrompt = withPrompt; L57: const child_process_1 = require("child_process"); L58: const fs = __importStar(require("fs"));
    High
    Child Process

    Package source references child process execution.

    dist/deploy/io.jsView on unpkg · L56
    provider/wasm.tsView file
    12// eslint-disable-next-line no-new-func L13: new Function("s", "return import(s)") as any; L14:
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    provider/wasm.tsView on unpkg · L12
    dist/rastack-compile.jsView file
    12Object.defineProperty(exports, "__esModule", { value: true }); L13: const compile_1 = require("./compile"); L14: const DEFAULT_RESOURCES = "resources";
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/rastack-compile.jsView on unpkg · L12
    src/rastack-update.tsView file
    14* prefix (`~/.rastack`, via the hosted installer). Updating re-runs L15: * `npm install -g rastack@<target>` against that SAME prefix — derived from where L16: * the running CLI lives — so it never scatters a second copy into npm's default ... L19: L20: import { execFileSync } from "child_process"; L21: import { readFileSync } from "fs";
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    src/rastack-update.tsView on unpkg · L14
    dist/rastack-init.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = rastack@0.0.39 matchedIdentity = npm:cmFzdGFjaw:0.0.39 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/rastack-init.jsView on unpkg

    Findings

    1 Critical3 High4 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/rastack-init.js
    HighChild Processdist/deploy/io.js
    HighShell
    HighRuntime Package Installsrc/rastack-update.ts
    MediumDynamic Requiredist/rastack-compile.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvalprovider/wasm.ts
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings