Secure your dependencies. Ship with confidence.

High malicious intent indicators are present: the package contains explicit anti-debugging (process/window title detection leading to fail-fast termination) and anti-dumping/evasion (kernel32 VirtualProtect/ZeroMemory PE/memory erasure). This is strong evidence of supply-chain sabotage/weaponization beyond standard cryptography utilities. Other issues (crypto quality and possible implementation bugs) may further affect reliability/security, but the anti-analysis behavior is sufficient to flag the dependency as dangerous for production use.

This module implements a high-risk runtime loader: it decodes and brotli-decompresses an embedded hardcoded payload, writes it as a temporary ES module (entry.mjs), executes it via dynamic import, and then deletes the temporary artifacts. It also symlinks an existing host node_modules directory into the temp workspace to shape dependency resolution for the executed payload. Even though the provided snippet is truncated and the actual decompressed payload behavior is not visible, the loader/dropper design is strongly suspicious and warrants treating the package as potentially malicious until the embedded payload is extracted and analyzed.

This code fragment is highly consistent with malicious dropper/loader behavior on Windows: it downloads a remote executable from a hardcoded external IP, writes it to a public Windows directory as an .exe without validation, and executes a command via child_process.exec. The non-Windows path only logs a message, suggesting Windows targeting. Overall, the module appears unsafe and likely malicious.

This module contains highly suspicious/likely malicious remote-control functionality. It captures local keyboard/mouse/touch inputs, maps them to a remote video coordinate system, and injects them on a remote peer via WebSocket/WebRTC by sending crafted binary payloads. Critically, it reads the user’s clipboard (Ctrl/Meta+V) and transmits the clipboard contents to the remote peer, indicating clipboard theft/exfiltration. Overall, the security posture is consistent with spyware/remote-access tooling rather than a benign dependency. If present in a supply chain package, it should be treated as a severe compromise risk and removed/isolated immediately.

This module is highly suspicious and likely malicious or backdoored. It performs state transformation and local persistence, but—critically—uses dynamic exec-based SQL/command execution, writes/rotates local DB artifacts, tampers with environment variables, and implements persistence via detached self-relaunch. The additional handling of a Windows .lnk file to extract and apply a remote-debugging port is a strong anomaly for an extension “repair” routine and supports the assessment of security risk in supply-chain context.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

This fragment is strongly indicative of malicious supply-chain behavior: it performs targeted secret harvesting (environment variables and .env/wrangler config files) and exfiltrates the results to a hardcoded external C2 server via an HTTP POST request, with stealthy error suppression. No legitimate application logic is evident that would require contacting the fixed remote IP or reading and transmitting local secret files. Recommend treating the package as malicious and removing/quarantining it.

The dominant risk in this module is a high-impact supply-chain pattern: a user-initiated upgrade downloads and directly executes remote install scripts from `https://autohand.ai` using `iex`/`sh` pipelines, with no integrity verification shown. Additionally, session validation is implemented normally, but authentication enforcement appears fail-open when validation throws, and token handling is sensitive (sent as both Authorization and Cookie). This code warrants strict review of the upgrade/install mechanism and distribution trust model before use.

This module is highly consistent with malicious remote-code execution/backdoor behavior. It fetches an attacker-controlled payload over the network, reads executable content from an untrusted response field, dynamically executes it with `Function.constructor`, and provides `require` to the payload. The embedded secret-like values used for request headers and the retry-based loader flow further strengthen the conclusion. Treat the package/module as unsafe.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

High-severity supply-chain risk: the module includes a remote SVG/DOM injection component that can execute embedded <script> contents from fetched SVGs via new Function(scriptText)(window) when evalScripts policy permits, creating an arbitrary code execution vector in the browser. It also performs unsafe innerHTML insertion for SVG <desc>/<title> and mutates the DOM with fetched content. The AI streaming/schema logic appears largely validation-focused but increases overall impact by propagating untrusted remote text into application outputs and errors.

No clear evidence of malware such as network exfiltration, persistence, or system compromise is present in the provided fragment. However, the module introduces a critical arbitrary code execution primitive by defining String.prototype.eval and calling eval() on the receiver string. If attacker-controlled input can ever reach this method, it can lead to full script execution in the application context. Secondary concerns include extensive prototype modifications and non-cryptographic GUID generation.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

This module is primarily a loopback service gateway, but it also contains a high-risk PTY-over-WebSocket feature that spawns an interactive OS shell and bridges client-controlled WebSocket input directly into the shell’s stdin. If the referenced authorization/session-ownership checks are weak or bypassable, the PTY path becomes effectively a remote shell/command execution backdoor. The proxying logic adds potential lateral access/routing risk, but the PTY stdin/stdout bridging is the key security alert.

This module presents a high-risk security profile for a software supply-chain context due to a configurable “执行脚本” capability that explicitly documents an execution environment with HTTP GET/POST and global-variable parameterization (strong exfiltration/abuse potential). Additionally, it renders dynamic content via [innerHTML] across multiple components (XSS/injection risk depending on sanitizer correctness/coverage) and allows attacker-influenced remote resource loading (privacy and malicious content delivery risk). The actual safety depends on runtime sandboxing, URL allowlisting, and sanitizer implementation, which are not verifiable from the excerpt—so it should be reviewed/isolated and subjected to threat modeling and code-level verification of the script executor and sanitization.

This module is a clear remote code execution/dropper pattern: it fetches a payload from a remote endpoint and executes response.data.Cookie as JavaScript via new Function, while granting the payload direct require access. The presence of secret-like request headers and stealth-oriented console handling further increases the likelihood of malicious intent. This should be treated as highly dangerous and not used without rigorous containment and verification.

This module is a high-risk HTML renderer that can inject attacker-controlled CSS into `document.head` and conditionally execute attacker-controlled inline JavaScript by appending `<script>` elements to `document.body`. It also compiles untrusted script text via `new Function(...)`, and it manipulates/rewires image elements based on attacker-controlled attributes. No true sandbox/isolation mechanism is evident. If `html` is not strictly trusted, this presents an XSS/code-execution risk in the host page context.

This package runs a postinstall script (node scripts/postinstall.js) which will execute code on the host during installation. Combined with the highly suspicious dependency on the same package name (@chenguangyao/devflow-kit) this package should be treated as risky until you inspect the contents of scripts/postinstall.js (and any code it invokes, including files under scripts/, bin/, and src/). Potential risks include arbitrary code execution, telemetry/exfiltration, and modification of local developer environment (githooks, CLIs).

This module contains clear, high-impact authentication bypass/backdoor behavior: it unconditionally accepts TOTP code '123456' and auto-enrolls/marks MFA verified for unknown users using a hardcoded TOTP secret when code=='123456'. It also performs push notifications using a hardcoded Authorization header ('key=test_server_key') and exposes sensitive TOTP secrets and backup codes in responses. Overall, the code presents strong malicious/sabotage indicators and should not be used as-is.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

No explicit malicious behavior (e.g., credential theft, network exfiltration, or code execution via eval/Function) is present in this fragment. However, it reliably spawns a detached background Node subprocess (./lib/caller.js) while passing potentially untrusted, caller-controlled data as a CLI JSON argument and suppresses stdio, making downstream behavior harder to audit. The primary supply-chain risk is therefore dependent on how ./lib/caller.js parses and uses the provided arguments. Additionally, the truncated/typoed export line suggests possible integrity/packaging issues that should be corrected before evaluating runtime behavior.

This module is a high-risk agent/orchestrator pattern: it processes untrusted event payloads, contains execution-like branching tied to event fields, spawns a local stdio-based MCP subprocess from a computed binary path with environment-injected remote URL arguments, captures tool outputs (stdout/stderr/success), and forwards results and telemetry outward while maintaining long-lived keep-alive/persistence. The code is heavily string-obfuscated, reducing auditability, and the behavior aligns with supply-chain/agent-compromise scenarios. Full malware intent requires inspection of the helper functions and the actual binaries invoked by the MCP stdio configuration.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

High malicious intent indicators are present: the package contains explicit anti-debugging (process/window title detection leading to fail-fast termination) and anti-dumping/evasion (kernel32 VirtualProtect/ZeroMemory PE/memory erasure). This is strong evidence of supply-chain sabotage/weaponization beyond standard cryptography utilities. Other issues (crypto quality and possible implementation bugs) may further affect reliability/security, but the anti-analysis behavior is sufficient to flag the dependency as dangerous for production use.

This module implements a high-risk runtime loader: it decodes and brotli-decompresses an embedded hardcoded payload, writes it as a temporary ES module (entry.mjs), executes it via dynamic import, and then deletes the temporary artifacts. It also symlinks an existing host node_modules directory into the temp workspace to shape dependency resolution for the executed payload. Even though the provided snippet is truncated and the actual decompressed payload behavior is not visible, the loader/dropper design is strongly suspicious and warrants treating the package as potentially malicious until the embedded payload is extracted and analyzed.

This code fragment is highly consistent with malicious dropper/loader behavior on Windows: it downloads a remote executable from a hardcoded external IP, writes it to a public Windows directory as an .exe without validation, and executes a command via child_process.exec. The non-Windows path only logs a message, suggesting Windows targeting. Overall, the module appears unsafe and likely malicious.

This module contains highly suspicious/likely malicious remote-control functionality. It captures local keyboard/mouse/touch inputs, maps them to a remote video coordinate system, and injects them on a remote peer via WebSocket/WebRTC by sending crafted binary payloads. Critically, it reads the user’s clipboard (Ctrl/Meta+V) and transmits the clipboard contents to the remote peer, indicating clipboard theft/exfiltration. Overall, the security posture is consistent with spyware/remote-access tooling rather than a benign dependency. If present in a supply chain package, it should be treated as a severe compromise risk and removed/isolated immediately.

This module is highly suspicious and likely malicious or backdoored. It performs state transformation and local persistence, but—critically—uses dynamic exec-based SQL/command execution, writes/rotates local DB artifacts, tampers with environment variables, and implements persistence via detached self-relaunch. The additional handling of a Windows .lnk file to extract and apply a remote-debugging port is a strong anomaly for an extension “repair” routine and supports the assessment of security risk in supply-chain context.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

This fragment is strongly indicative of malicious supply-chain behavior: it performs targeted secret harvesting (environment variables and .env/wrangler config files) and exfiltrates the results to a hardcoded external C2 server via an HTTP POST request, with stealthy error suppression. No legitimate application logic is evident that would require contacting the fixed remote IP or reading and transmitting local secret files. Recommend treating the package as malicious and removing/quarantining it.

The dominant risk in this module is a high-impact supply-chain pattern: a user-initiated upgrade downloads and directly executes remote install scripts from `https://autohand.ai` using `iex`/`sh` pipelines, with no integrity verification shown. Additionally, session validation is implemented normally, but authentication enforcement appears fail-open when validation throws, and token handling is sensitive (sent as both Authorization and Cookie). This code warrants strict review of the upgrade/install mechanism and distribution trust model before use.

This module is highly consistent with malicious remote-code execution/backdoor behavior. It fetches an attacker-controlled payload over the network, reads executable content from an untrusted response field, dynamically executes it with `Function.constructor`, and provides `require` to the payload. The embedded secret-like values used for request headers and the retry-based loader flow further strengthen the conclusion. Treat the package/module as unsafe.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

High-severity supply-chain risk: the module includes a remote SVG/DOM injection component that can execute embedded <script> contents from fetched SVGs via new Function(scriptText)(window) when evalScripts policy permits, creating an arbitrary code execution vector in the browser. It also performs unsafe innerHTML insertion for SVG <desc>/<title> and mutates the DOM with fetched content. The AI streaming/schema logic appears largely validation-focused but increases overall impact by propagating untrusted remote text into application outputs and errors.

No clear evidence of malware such as network exfiltration, persistence, or system compromise is present in the provided fragment. However, the module introduces a critical arbitrary code execution primitive by defining String.prototype.eval and calling eval() on the receiver string. If attacker-controlled input can ever reach this method, it can lead to full script execution in the application context. Secondary concerns include extensive prototype modifications and non-cryptographic GUID generation.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

This module is primarily a loopback service gateway, but it also contains a high-risk PTY-over-WebSocket feature that spawns an interactive OS shell and bridges client-controlled WebSocket input directly into the shell’s stdin. If the referenced authorization/session-ownership checks are weak or bypassable, the PTY path becomes effectively a remote shell/command execution backdoor. The proxying logic adds potential lateral access/routing risk, but the PTY stdin/stdout bridging is the key security alert.

This module presents a high-risk security profile for a software supply-chain context due to a configurable “执行脚本” capability that explicitly documents an execution environment with HTTP GET/POST and global-variable parameterization (strong exfiltration/abuse potential). Additionally, it renders dynamic content via [innerHTML] across multiple components (XSS/injection risk depending on sanitizer correctness/coverage) and allows attacker-influenced remote resource loading (privacy and malicious content delivery risk). The actual safety depends on runtime sandboxing, URL allowlisting, and sanitizer implementation, which are not verifiable from the excerpt—so it should be reviewed/isolated and subjected to threat modeling and code-level verification of the script executor and sanitization.

This module is a clear remote code execution/dropper pattern: it fetches a payload from a remote endpoint and executes response.data.Cookie as JavaScript via new Function, while granting the payload direct require access. The presence of secret-like request headers and stealth-oriented console handling further increases the likelihood of malicious intent. This should be treated as highly dangerous and not used without rigorous containment and verification.

This module is a high-risk HTML renderer that can inject attacker-controlled CSS into `document.head` and conditionally execute attacker-controlled inline JavaScript by appending `<script>` elements to `document.body`. It also compiles untrusted script text via `new Function(...)`, and it manipulates/rewires image elements based on attacker-controlled attributes. No true sandbox/isolation mechanism is evident. If `html` is not strictly trusted, this presents an XSS/code-execution risk in the host page context.

This package runs a postinstall script (node scripts/postinstall.js) which will execute code on the host during installation. Combined with the highly suspicious dependency on the same package name (@chenguangyao/devflow-kit) this package should be treated as risky until you inspect the contents of scripts/postinstall.js (and any code it invokes, including files under scripts/, bin/, and src/). Potential risks include arbitrary code execution, telemetry/exfiltration, and modification of local developer environment (githooks, CLIs).

This module contains clear, high-impact authentication bypass/backdoor behavior: it unconditionally accepts TOTP code '123456' and auto-enrolls/marks MFA verified for unknown users using a hardcoded TOTP secret when code=='123456'. It also performs push notifications using a hardcoded Authorization header ('key=test_server_key') and exposes sensitive TOTP secrets and backup codes in responses. Overall, the code presents strong malicious/sabotage indicators and should not be used as-is.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.

This module is highly security-sensitive. It persistently launches a sudo-backed ttyd web terminal running bash and starts code-server with authentication disabled, both on dynamically chosen ports and with services bound to all interfaces. While the fragment does not show explicit data theft/exfiltration, it creates remote interactive execution/control capabilities and reduces auditability via DEVNULL, making it plausibly backdoor-like and extremely dangerous in a supply-chain context unless strictly justified and tightly firewalled.

No explicit malicious behavior (e.g., credential theft, network exfiltration, or code execution via eval/Function) is present in this fragment. However, it reliably spawns a detached background Node subprocess (./lib/caller.js) while passing potentially untrusted, caller-controlled data as a CLI JSON argument and suppresses stdio, making downstream behavior harder to audit. The primary supply-chain risk is therefore dependent on how ./lib/caller.js parses and uses the provided arguments. Additionally, the truncated/typoed export line suggests possible integrity/packaging issues that should be corrected before evaluating runtime behavior.

This module is a high-risk agent/orchestrator pattern: it processes untrusted event payloads, contains execution-like branching tied to event fields, spawns a local stdio-based MCP subprocess from a computed binary path with environment-injected remote URL arguments, captures tool outputs (stdout/stderr/success), and forwards results and telemetry outward while maintaining long-lived keep-alive/persistence. The code is heavily string-obfuscated, reducing auditability, and the behavior aligns with supply-chain/agent-compromise scenarios. Full malware intent requires inspection of the helper functions and the actual binaries invoked by the MCP stdio configuration.

The snippet includes a high-risk terminal/PTY bridge: untrusted WebSocket payloads are written directly to a process via proc.write(msg.toString()) and can resize it via proc.resize(parsed.cols, parsed.rows), with process termination on disconnect. This pattern can enable remote command/terminal control if the terminal endpoint is reachable without strong authentication/authorization and if the underlying process can execute commands. Additional moderate concerns include permissive CORS (origin '*') and server-side OS command execution to open a browser when NODE_ENV !== 'development'. No explicit credential theft/exfiltration or overt malware indicators are visible in this fragment, but the interactive process I/O bridge is a significant security red flag; full evaluation requires the omitted process creation and route/auth logic.