@adhdev/daemon-core
ADHDev daemon core — CDP, IDE detection, providers, command execution
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Spawns process.execPath with process.argv.slice(1) — a self-restart/daemon pattern, not a reverse shell or miner. Stable for this daemon tooling package. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same self-restart pattern as silent-process-exec; detached spawn of the same Node process is a standard daemon restart idiom. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into child process spawn config is standard for CLI tools that need to pass the current environment to subprocesses. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IP references are 127.0.0.1 (localhost) for CDP protocol communication — expected behavior for a local browser debugger integration. | ai | |
| semgrep | semgrep:http-module-request | AI (semgrep): HTTP requests target 127.0.0.1 for CDP version endpoint — standard local CDP usage, not telemetry or exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of CDP protocol response data (e.g., screenshots) is standard CDP usage. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in validate.js loads provider plugin files for validation — a legitimate plugin loader pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used to run 'which' to check command availability — standard CLI tool pattern. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common (~88% of npm packages); not a disqualifier on its own for this package. | ai |
Versions (showing 100 of 346)
| Version | Deps | Published |
|---|---|---|
| 0.7.28 | 8 / 4 | |
| 0.7.27 | 8 / 4 | |
| 0.7.26 | 8 / 4 | |
| 0.7.25 | 8 / 4 | |
| 0.7.24 | 8 / 4 | |
| 0.7.23 | 8 / 4 | |
| 0.7.22 | 8 / 4 | |
| 0.7.21 | 8 / 4 | |
| 0.7.20 | 8 / 4 | |
| 0.7.19 | 8 / 4 | |
| 0.7.18 | 8 / 4 | |
| 0.7.17 | 8 / 4 | |
| 0.7.16 | 8 / 4 | |
| 0.7.15 | 8 / 4 | |
| 0.7.14 | 8 / 4 | |
| 0.7.13 | 8 / 4 | |
| 0.7.12 | 8 / 4 | |
| 0.7.11 | 8 / 4 | |
| 0.7.10 | 8 / 4 | |
| 0.7.9 | 8 / 4 | |
| 0.7.7 | 8 / 4 | |
| 0.7.6 | 7 / 4 | |
| 0.7.5 | 7 / 4 | |
| 0.7.4 | 7 / 4 | |
| 0.7.3 | 7 / 4 | |
| 0.7.2 | 7 / 4 | |
| 0.7.1 | 7 / 4 | |
| 0.7.0 | 7 / 4 | |
| 0.6.79 | 7 / 4 | |
| 0.6.77 | 7 / 4 | |
| 0.6.76 | 7 / 4 | |
| 0.6.75 | 7 / 4 | |
| 0.6.74 | 7 / 4 | |
| 0.6.73 | 7 / 4 | |
| 0.6.72 | 6 / 4 | |
| 0.6.71 | 6 / 4 | |
| 0.6.70 | 6 / 4 | |
| 0.6.69 | 5 / 4 | |
| 0.6.68 | 5 / 4 | |
| 0.6.67 | 5 / 4 | |
| 0.6.66 | 5 / 4 | |
| 0.6.63 | 5 / 4 | |
| 0.6.62 | 5 / 4 | |
| 0.6.61 | 5 / 4 | |
| 0.6.60 | 5 / 4 | |
| 0.6.59 | 5 / 4 | |
| 0.6.58 | 5 / 4 | |
| 0.6.57 | 5 / 4 | |
| 0.6.56 | 5 / 4 | |
| 0.6.55 | 4 / 4 | |
| 0.6.53 | 4 / 4 | |
| 0.6.52 | 4 / 4 | |
| 0.6.51 | 4 / 4 | |
| 0.6.50 | 4 / 4 | |
| 0.6.49 | 4 / 4 | |
| 0.6.48 | 4 / 4 | |
| 0.6.47 | 4 / 4 | |
| 0.6.46 | 4 / 4 | |
| 0.6.45 | 4 / 4 | |
| 0.6.44 | 4 / 4 | |
| 0.6.43 | 4 / 4 | |
| 0.6.42 | 4 / 4 | |
| 0.6.41 | 4 / 4 | |
| 0.6.40 | 4 / 4 | |
| 0.6.39 | 4 / 4 | |
| 0.6.37 | 4 / 4 | |
| 0.6.36 | 4 / 4 | |
| 0.6.35 | 4 / 4 | |
| 0.6.34 | 4 / 4 | |
| 0.6.32 | 4 / 4 | |
| 0.6.31 | 4 / 4 | |
| 0.6.30 | 4 / 4 | |
| 0.6.29 | 4 / 4 | |
| 0.6.26 | 4 / 4 | |
| 0.6.25 | 4 / 4 | |
| 0.6.24 | 4 / 4 | |
| 0.6.23 | 4 / 4 | |
| 0.6.22 | 4 / 4 | |
| 0.6.21 | 4 / 4 | |
| 0.6.19 | 4 / 4 | |
| 0.6.18 | 4 / 4 | |
| 0.6.17 | 4 / 4 | |
| 0.6.16 | 4 / 4 | |
| 0.6.15 | 4 / 4 | |
| 0.6.13 | 4 / 4 | |
| 0.6.12 | 4 / 4 | |
| 0.6.11 | 4 / 4 | |
| 0.6.10 | 4 / 4 | |
| 0.6.8 | 4 / 4 | |
| 0.6.7 | 4 / 4 | |
| 0.6.6 | 4 / 4 | |
| 0.6.5 | 4 / 4 | |
| 0.6.4 | 4 / 4 | |
| 0.6.3 | 4 / 4 | |
| 0.6.2 | 4 / 4 | |
| 0.6.1 | 4 / 4 | |
| 0.6.0 | 4 / 4 | |
| 0.5.64 | 4 / 4 | |
| 0.5.63 | 4 / 4 | |
| 0.5.62 | 4 / 4 |
v0.7.28
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/30dbf951e8dd508fdd6ca99ddbf6fe6df7a65577/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.27
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b4bf100c737d287fc168c6cd3a2bc0bdff4b2892/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.26
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6640803f50b910f4135e1c0f99937314c866c6dc/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.25
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/4ce280b4f3faa2b5e5d6746794a061df63a2079d/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.24
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2c6fd791ffa142ece6c37ba1735c138b15eeec95/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.23
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a0dc32eae006e868fca06707c8cc98ccc4eed96/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.22
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ce79f492af9260b10eac99a6bfa4f098e90c5b3c/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.21
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ff460df768d3930eb9590d5c52e53fddb9700b4d/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.20
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e866af2db7c29b879a2e0c9dd8863981b6267481/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.19
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8f3e78fa316e90ae1d205c8fe1f88d817111dc0e/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.18
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/478a7f3196e84515f6baa988d337444d76620463/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.17
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c22d3f3fc3599c97a8e952d462ca2bbd266365fa/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.16
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ba1dddd72390e04c6573008a862b62aeee1ec6b2/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.15
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/78a48db8c28735a16ad6ede88c5f698648330446/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.14
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/638a538351e769163b98055bceadb43a48f5f922/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.13
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5041297f4afe28423e97ec84b6e6a43713684d5d/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.12
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b1371254811ca0aabfd41019454a5c51ddf2c9e/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.11
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e5be637a57fdb6e1959f47e4e1e63b7e450d2d1f/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.10
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/af2db8bdf9bace056ccccc34e71390eb266357e2/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.9
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9b89dee36b8245ce06102fe674eb648439f2b3d1/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.7
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/cli-adapters/provider-cli-adapter.ts#L606 604 | rows: 40, 605 | cwd: this.workingDir, > 606 | env: { 607 | ...process.env, 608 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/daemon/dev-auto-implement.ts#L378 376 | rows: 40, 377 | cwd: providerDir, > 378 | env: { ...process.env, ...(spawn.env || {}) }, 379 | }); 380 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/daemon/dev-auto-implement.ts#L388 386 | timeout: 900000, 387 | stdio: ['pipe', 'pipe', 'pipe'], > 388 | env: { 389 | ...process.env, 390 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fb567dcf86a3c298e7093676a7bb25462c096a1c/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.6
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e02ca8a30bb94a01f9f3e97aff3644839e30e5a3/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.5
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f6c2bfd02ef0f8fc97e7dd4465c9b9149c16e5a0/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.4
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ab28369c2ca4d4c1f525a7a40e23304f7fafc864/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.3
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/87fff90f72041d1d690a8ceebbede166603b2bae/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.2
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9e7f85fcc46f3fca00875a61089e3f2d9202f39e/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.1
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2938b6ae6a7f9a82c7d7f8985ed2f944f4fed043/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.0
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/04873f849e17198e7bde70742c1a614527c84e58/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.79
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c72c22b471a423f46b0f19201ae0f37745b3af4f/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.77
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70961d03b83bb9e7c2bbafc63d13a5947bfcf813/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.76
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/cli-adapters/provider-cli-adapter.ts#L593 591 | rows: 40, 592 | cwd: this.workingDir, > 593 | env: { 594 | ...process.env, 595 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/daemon/dev-server.ts#L2063 2061 | stdio: ['pipe', 'pipe', 'pipe'], 2062 | shell: spawn.shell ?? false, > 2063 | env: { ...process.env, ...(spawn.env || {}) }, 2064 | }); 2065 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/daemon/dev-server.ts#L2227 2225 | rows: 40, 2226 | cwd: providerDir, > 2227 | env: { ...process.env, ...(spawn.env || {}) }, 2228 | }); 2229 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/daemon/dev-server.ts#L2237 2235 | timeout: 900000, 2236 | stdio: ['pipe', 'pipe', 'pipe'], > 2237 | env: { 2238 | ...process.env, 2239 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/de8eb43c207a5bfa07859ec8aee7407be39651ad/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.75
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/cli-adapters/provider-cli-adapter.ts#L570 568 | rows: 40, 569 | cwd: this.workingDir, > 570 | env: { 571 | ...process.env, 572 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/daemon/dev-server.ts#L2056 2054 | stdio: ['pipe', 'pipe', 'pipe'], 2055 | shell: spawn.shell ?? false, > 2056 | env: { ...process.env, ...(spawn.env || {}) }, 2057 | }); 2058 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/daemon/dev-server.ts#L2220 2218 | rows: 40, 2219 | cwd: providerDir, > 2220 | env: { ...process.env, ...(spawn.env || {}) }, 2221 | }); 2222 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/daemon/dev-server.ts#L2230 2228 | timeout: 900000, 2229 | stdio: ['pipe', 'pipe', 'pipe'], > 2230 | env: { 2231 | ...process.env, 2232 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/126a6050f80f220a87c1bd01e1f71e44f525ae82/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.74
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/cli-adapters/provider-cli-adapter.ts#L570 568 | rows: 40, 569 | cwd: this.workingDir, > 570 | env: { 571 | ...process.env, 572 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/daemon/dev-server.ts#L2056 2054 | stdio: ['pipe', 'pipe', 'pipe'], 2055 | shell: spawn.shell ?? false, > 2056 | env: { ...process.env, ...(spawn.env || {}) }, 2057 | }); 2058 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/daemon/dev-server.ts#L2220 2218 | rows: 40, 2219 | cwd: providerDir, > 2220 | env: { ...process.env, ...(spawn.env || {}) }, 2221 | }); 2222 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/daemon/dev-server.ts#L2230 2228 | timeout: 900000, 2229 | stdio: ['pipe', 'pipe', 'pipe'], > 2230 | env: { 2231 | ...process.env, 2232 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cd53e0f2fddafd5cd5fefb3a1eaf65ba73ae5224/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.73
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/cli-adapters/provider-cli-adapter.ts#L570 568 | rows: 40, 569 | cwd: this.workingDir, > 570 | env: { 571 | ...process.env, 572 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/daemon/dev-server.ts#L2056 2054 | stdio: ['pipe', 'pipe', 'pipe'], 2055 | shell: spawn.shell ?? false, > 2056 | env: { ...process.env, ...(spawn.env || {}) }, 2057 | }); 2058 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/daemon/dev-server.ts#L2220 2218 | rows: 40, 2219 | cwd: providerDir, > 2220 | env: { ...process.env, ...(spawn.env || {}) }, 2221 | }); 2222 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/daemon/dev-server.ts#L2230 2228 | timeout: 900000, 2229 | stdio: ['pipe', 'pipe', 'pipe'], > 2230 | env: { 2231 | ...process.env, 2232 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7277bf11287b036f2b71da73b9aa88d385d3a632/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.72
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/380e6d6fc52f116fa66559a5617a2d9d031f1a90/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.71
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a2ebd93e1a3b5fb30218a73b76447b67a08c7bc/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.70
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ca0b710e1c9133afc0dbf5783de485a0755ef15/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.69
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fe8f378c99623c31b03faf0ee56b7f21f0100431/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.68
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c1dbf821cf45071ff23c9929135aa81ff0bd9038/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.67
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/31c4514774383e54a673d02cbbdde900fcc8f510/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.66
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e6d40332633af53256846ac34086d1c5db627b42/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.63
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/17ee716dc40cd000935788b2a50aa33c12d03836/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.62
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bb4aef21dae41d069e04d92e4291f4cf90b6bb82/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.61
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a7e8f9ba6e07ae18643873b2c27c589e6b98a3b3/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.60
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6ac16e72479c2736bc2fa298e4d02e91fabba581/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.59
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/630833a1c53517c21d4b7972743498a5f7e7bf88/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.58
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/cli-adapters/provider-cli-adapter.ts#L557 555 | rows: 40, 556 | cwd: this.workingDir, > 557 | env: { 558 | ...process.env, 559 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/daemon/dev-server.ts#L1058 1056 | timeout: timeout, 1057 | stdio: ['pipe', 'pipe', 'pipe'], > 1058 | env: { ...process.env, ...(spawn.env || {}) }, 1059 | }); 1060 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/daemon/dev-server.ts#L1999 1997 | stdio: ['pipe', 'pipe', 'pipe'], 1998 | shell: spawn.shell ?? false, > 1999 | env: { ...process.env, ...(spawn.env || {}) }, 2000 | }); 2001 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/daemon/dev-server.ts#L2163 2161 | rows: 40, 2162 | cwd: providerDir, > 2163 | env: { ...process.env, ...(spawn.env || {}) }, 2164 | }); 2165 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/daemon/dev-server.ts#L2173 2171 | timeout: 900000, 2172 | stdio: ['pipe', 'pipe', 'pipe'], > 2173 | env: { 2174 | ...process.env, 2175 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2e26c33ad2115edcb40763571ef06ee0c3cb5b90/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.57
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/cli-adapters/provider-cli-adapter.ts#L466 464 | rows: 40, 465 | cwd: this.workingDir, > 466 | env: { 467 | ...process.env, 468 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/daemon/dev-server.ts#L1057 1055 | timeout: timeout, 1056 | stdio: ['pipe', 'pipe', 'pipe'], > 1057 | env: { ...process.env, ...(spawn.env || {}) }, 1058 | }); 1059 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/daemon/dev-server.ts#L2003 2001 | stdio: ['pipe', 'pipe', 'pipe'], 2002 | shell: spawn.shell ?? false, > 2003 | env: { ...process.env, ...(spawn.env || {}) }, 2004 | }); 2005 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/daemon/dev-server.ts#L2167 2165 | rows: 40, 2166 | cwd: providerDir, > 2167 | env: { ...process.env, ...(spawn.env || {}) }, 2168 | }); 2169 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/daemon/dev-server.ts#L2177 2175 | timeout: 900000, 2176 | stdio: ['pipe', 'pipe', 'pipe'], > 2177 | env: { 2178 | ...process.env, 2179 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/03740652e2815106057a9becf735d2e092f6fae9/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.56
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/cli-adapters/provider-cli-adapter.ts#L411 409 | rows: 40, 410 | cwd: this.workingDir, > 411 | env: { 412 | ...process.env, 413 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/daemon/dev-server.ts#L1057 1055 | timeout: timeout, 1056 | stdio: ['pipe', 'pipe', 'pipe'], > 1057 | env: { ...process.env, ...(spawn.env || {}) }, 1058 | }); 1059 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/daemon/dev-server.ts#L2003 2001 | stdio: ['pipe', 'pipe', 'pipe'], 2002 | shell: spawn.shell ?? false, > 2003 | env: { ...process.env, ...(spawn.env || {}) }, 2004 | }); 2005 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/daemon/dev-server.ts#L2167 2165 | rows: 40, 2166 | cwd: providerDir, > 2167 | env: { ...process.env, ...(spawn.env || {}) }, 2168 | }); 2169 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/daemon/dev-server.ts#L2177 2175 | timeout: 900000, 2176 | stdio: ['pipe', 'pipe', 'pipe'], > 2177 | env: { 2178 | ...process.env, 2179 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1232e19df6b9c9bd6e090e1ea35ac908ef838f9e/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.55
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/cli-adapters/provider-cli-adapter.ts#L402 400 | rows: 40, 401 | cwd: this.workingDir, > 402 | env: { 403 | ...process.env, 404 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/daemon/dev-server.ts#L1057 1055 | timeout: timeout, 1056 | stdio: ['pipe', 'pipe', 'pipe'], > 1057 | env: { ...process.env, ...(spawn.env || {}) }, 1058 | }); 1059 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/daemon/dev-server.ts#L2003 2001 | stdio: ['pipe', 'pipe', 'pipe'], 2002 | shell: spawn.shell ?? false, > 2003 | env: { ...process.env, ...(spawn.env || {}) }, 2004 | }); 2005 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/daemon/dev-server.ts#L2167 2165 | rows: 40, 2166 | cwd: providerDir, > 2167 | env: { ...process.env, ...(spawn.env || {}) }, 2168 | }); 2169 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/daemon/dev-server.ts#L2177 2175 | timeout: 900000, 2176 | stdio: ['pipe', 'pipe', 'pipe'], > 2177 | env: { 2178 | ...process.env, 2179 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5039baf3080bc03195ec361d4f0bf2c0f069083d/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.53
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/daemon/dev-server.ts#L1057 1055 | timeout: timeout, 1056 | stdio: ['pipe', 'pipe', 'pipe'], > 1057 | env: { ...process.env, ...(spawn.env || {}) }, 1058 | }); 1059 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/daemon/dev-server.ts#L1962 1960 | stdio: ['pipe', 'pipe', 'pipe'], 1961 | shell: spawn.shell ?? false, > 1962 | env: { ...process.env, ...(spawn.env || {}) }, 1963 | }); 1964 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/daemon/dev-server.ts#L2126 2124 | rows: 40, 2125 | cwd: providerDir, > 2126 | env: { ...process.env, ...(spawn.env || {}) }, 2127 | }); 2128 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/daemon/dev-server.ts#L2136 2134 | timeout: 900000, 2135 | stdio: ['pipe', 'pipe', 'pipe'], > 2136 | env: { 2137 | ...process.env, 2138 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/231d8e97c7a40bc16411ceeedbba1d891f48f9e2/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.52
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/daemon/dev-server.ts#L1057 1055 | timeout: timeout, 1056 | stdio: ['pipe', 'pipe', 'pipe'], > 1057 | env: { ...process.env, ...(spawn.env || {}) }, 1058 | }); 1059 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/daemon/dev-server.ts#L1962 1960 | stdio: ['pipe', 'pipe', 'pipe'], 1961 | shell: spawn.shell ?? false, > 1962 | env: { ...process.env, ...(spawn.env || {}) }, 1963 | }); 1964 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/daemon/dev-server.ts#L2126 2124 | rows: 40, 2125 | cwd: providerDir, > 2126 | env: { ...process.env, ...(spawn.env || {}) }, 2127 | }); 2128 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/daemon/dev-server.ts#L2136 2134 | timeout: 900000, 2135 | stdio: ['pipe', 'pipe', 'pipe'], > 2136 | env: { 2137 | ...process.env, 2138 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/70408cd82fe2bfb7826adf98263f05820be1500c/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.51
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/baa4efcb1e0708cfbec99fd64d610130665566d9/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.50
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/cli-adapters/provider-cli-adapter.ts#L381 379 | rows: 40, 380 | cwd: this.workingDir, > 381 | env: { 382 | ...process.env, 383 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/commands/router.ts#L302 300 | } catch { /* ignore */ } 301 | const { spawn } = require('child_process'); > 302 | const child = spawn(process.execPath, process.argv.slice(1), { 303 | detached: true, 304 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/commands/router.ts#L305 303 | detached: true, 304 | stdio: 'ignore', > 305 | env: { ...process.env }, 306 | }); 307 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6cf28e22e7f11b473d99e986687c303146a1236a/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.49
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/cli-adapters/provider-cli-adapter.ts#L381 379 | rows: 40, 380 | cwd: this.workingDir, > 381 | env: { 382 | ...process.env, 383 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b08876d2d031236268fb68e9df745fb6c1b4035a/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.48
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/cli-adapters/provider-cli-adapter.ts#L381 379 | rows: 40, 380 | cwd: this.workingDir, > 381 | env: { 382 | ...process.env, 383 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2ff99ed779004445d6b2bfa40601138101f8a373/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.47
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/055ea15de139b8a93c6615675647dd364e2dbdcc/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.46
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/138b06d94afb3f1e3767b1a89edd391173b60786/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.45
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2617b7339e177f3d0ea9e893e87db6ff740123bb/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.44
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8cbb31d91239fc0358ac18ea6612dcdbce403e7a/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.43
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1e586d8038cce27b9388feb2ee9836f7ca8ec576/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.42
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a4780ad32be1cc317b0519ff22e8760f87dd0699/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.41
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/daemon/dev-server.ts#L1089 1087 | timeout: timeout, 1088 | stdio: ['pipe', 'pipe', 'pipe'], > 1089 | env: { ...process.env, ...(spawn.env || {}) }, 1090 | }); 1091 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/daemon/dev-server.ts#L1995 1993 | stdio: ['pipe', 'pipe', 'pipe'], 1994 | shell: spawn.shell ?? false, > 1995 | env: { ...process.env, ...(spawn.env || {}) }, 1996 | }); 1997 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/daemon/dev-server.ts#L2159 2157 | rows: 40, 2158 | cwd: providerDir, > 2159 | env: { ...process.env, ...(spawn.env || {}) }, 2160 | }); 2161 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/daemon/dev-server.ts#L2169 2167 | timeout: 900000, 2168 | stdio: ['pipe', 'pipe', 'pipe'], > 2169 | env: { 2170 | ...process.env, 2171 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/33554cdec31c7af2d0a70f9e627138f8eb9f7db6/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.40
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/daemon/dev-server.ts#L1070 1068 | timeout: timeout, 1069 | stdio: ['pipe', 'pipe', 'pipe'], > 1070 | env: { ...process.env, ...(spawn.env || {}) }, 1071 | }); 1072 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/daemon/dev-server.ts#L1976 1974 | stdio: ['pipe', 'pipe', 'pipe'], 1975 | shell: spawn.shell ?? false, > 1976 | env: { ...process.env, ...(spawn.env || {}) }, 1977 | }); 1978 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/daemon/dev-server.ts#L2140 2138 | rows: 40, 2139 | cwd: providerDir, > 2140 | env: { ...process.env, ...(spawn.env || {}) }, 2141 | }); 2142 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/daemon/dev-server.ts#L2150 2148 | timeout: 900000, 2149 | stdio: ['pipe', 'pipe', 'pipe'], > 2150 | env: { 2151 | ...process.env, 2152 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a76d0dbfb59fafa9ae0b44281efd554a2c20c229/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.39
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/daemon/dev-server.ts#L1070 1068 | timeout: timeout, 1069 | stdio: ['pipe', 'pipe', 'pipe'], > 1070 | env: { ...process.env, ...(spawn.env || {}) }, 1071 | }); 1072 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/daemon/dev-server.ts#L1976 1974 | stdio: ['pipe', 'pipe', 'pipe'], 1975 | shell: spawn.shell ?? false, > 1976 | env: { ...process.env, ...(spawn.env || {}) }, 1977 | }); 1978 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/daemon/dev-server.ts#L2140 2138 | rows: 40, 2139 | cwd: providerDir, > 2140 | env: { ...process.env, ...(spawn.env || {}) }, 2141 | }); 2142 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/daemon/dev-server.ts#L2150 2148 | timeout: 900000, 2149 | stdio: ['pipe', 'pipe', 'pipe'], > 2150 | env: { 2151 | ...process.env, 2152 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/abc2e65f8fe890647280fd846a613230fb969e2e/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.37
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/daemon/dev-server.ts#L1070 1068 | timeout: timeout, 1069 | stdio: ['pipe', 'pipe', 'pipe'], > 1070 | env: { ...process.env, ...(spawn.env || {}) }, 1071 | }); 1072 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/daemon/dev-server.ts#L1976 1974 | stdio: ['pipe', 'pipe', 'pipe'], 1975 | shell: spawn.shell ?? false, > 1976 | env: { ...process.env, ...(spawn.env || {}) }, 1977 | }); 1978 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/daemon/dev-server.ts#L2140 2138 | rows: 40, 2139 | cwd: providerDir, > 2140 | env: { ...process.env, ...(spawn.env || {}) }, 2141 | }); 2142 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/daemon/dev-server.ts#L2150 2148 | timeout: 900000, 2149 | stdio: ['pipe', 'pipe', 'pipe'], > 2150 | env: { 2151 | ...process.env, 2152 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/875df5d57f5a6e21e413d672b195b3372fab6fbd/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.36
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/daemon/dev-server.ts#L1061 1059 | timeout: timeout, 1060 | stdio: ['pipe', 'pipe', 'pipe'], > 1061 | env: { ...process.env, ...(spawn.env || {}) }, 1062 | }); 1063 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/daemon/dev-server.ts#L1967 1965 | stdio: ['pipe', 'pipe', 'pipe'], 1966 | shell: spawn.shell ?? false, > 1967 | env: { ...process.env, ...(spawn.env || {}) }, 1968 | }); 1969 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/daemon/dev-server.ts#L2131 2129 | rows: 40, 2130 | cwd: providerDir, > 2131 | env: { ...process.env, ...(spawn.env || {}) }, 2132 | }); 2133 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/daemon/dev-server.ts#L2141 2139 | timeout: 900000, 2140 | stdio: ['pipe', 'pipe', 'pipe'], > 2141 | env: { 2142 | ...process.env, 2143 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/02fbdfc599701d83656bc92601d2904e7fa9b149/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.35
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f23ccd5bd7fb099d02dba7db8e34fa69548d2759/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.34
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/69532ea90722a142eb4f8faae348e99a275370c9/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.32
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/5dc2f7d0e9f154b14162783d28e7070d1870a70d/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.31
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/0c9e50809b2b21ed0d7c8fae0e3deab1a004021d/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.30
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/029eb8daf088c9baeeca959fd35075637713f60e/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.29
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8922423cd8e3995ab9795d69a7aa611beb5949a6/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.26
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d699ac135f33e7cf3dda6088be8c87302b72c58b/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.25
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1cfeaac73e6f08bedfa89653d2cc377701945ef8/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.24
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a536a8013c59d3bce2b24de60d30836018aa1284/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.23
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a828d8bcaf8c297e944905264a58a847d0eb3fea/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.22
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/fa8182fee6bbe1f938ab5f7f8956fbaa50a440a0/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.21
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/daemon/dev-server.ts#L2082 2080 | rows: 40, 2081 | cwd: providerDir, > 2082 | env: { ...process.env, ...(spawn.env || {}) }, 2083 | }); 2084 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/daemon/dev-server.ts#L2092 2090 | timeout: 900000, 2091 | stdio: ['pipe', 'pipe', 'pipe'], > 2092 | env: { 2093 | ...process.env, 2094 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/61095d7f300a91b46b85a1bc0b07ada243f91345/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.19
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/daemon/dev-server.ts#L2081 2079 | rows: 40, 2080 | cwd: providerDir, > 2081 | env: { ...process.env, ...(spawn.env || {}) }, 2082 | }); 2083 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/daemon/dev-server.ts#L2091 2089 | timeout: 900000, 2090 | stdio: ['pipe', 'pipe', 'pipe'], > 2091 | env: { 2092 | ...process.env, 2093 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f7ca515b8ab5bd1894bc028f4d800e9f51ebafed/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.18
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/daemon/dev-server.ts#L2079 2077 | rows: 40, 2078 | cwd: providerDir, > 2079 | env: { ...process.env, ...(spawn.env || {}) }, 2080 | }); 2081 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/daemon/dev-server.ts#L2089 2087 | timeout: 900000, 2088 | stdio: ['pipe', 'pipe', 'pipe'], > 2089 | env: { 2090 | ...process.env, 2091 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3c6ef0c17b6de7644db4daf1964e7e15a672e34e/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.17
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/daemon/dev-server.ts#L2079 2077 | rows: 40, 2078 | cwd: providerDir, > 2079 | env: { ...process.env, ...(spawn.env || {}) }, 2080 | }); 2081 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/daemon/dev-server.ts#L2089 2087 | timeout: 900000, 2088 | stdio: ['pipe', 'pipe', 'pipe'], > 2089 | env: { 2090 | ...process.env, 2091 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/92d7745ad04e755c21e1ba24dd1cc0ccbfbe1453/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.16
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/daemon/dev-server.ts#L2079 2077 | rows: 40, 2078 | cwd: providerDir, > 2079 | env: { ...process.env, ...(spawn.env || {}) }, 2080 | }); 2081 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/daemon/dev-server.ts#L2089 2087 | timeout: 900000, 2088 | stdio: ['pipe', 'pipe', 'pipe'], > 2089 | env: { 2090 | ...process.env, 2091 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9a8fe00d60a8ec49a62c19e854f5e36ea4c7964b/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.15
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/daemon/dev-server.ts#L2079 2077 | rows: 40, 2078 | cwd: providerDir, > 2079 | env: { ...process.env, ...(spawn.env || {}) }, 2080 | }); 2081 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/daemon/dev-server.ts#L2089 2087 | timeout: 900000, 2088 | stdio: ['pipe', 'pipe', 'pipe'], > 2089 | env: { 2090 | ...process.env, 2091 | ...(spawn.env || {}),
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/59b4c7128ac7982e6bd24de45660f943d5821309/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.13
15 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/daemon/dev-server.ts#L1918 1916 | stdio: ['pipe', 'pipe', 'pipe'], 1917 | shell: spawn.shell ?? false, > 1918 | env: { ...process.env, ...(spawn.env || {}) }, 1919 | }); 1920 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/daemon/dev-server.ts#L2064 2062 | timeout: 900000, // 15 min timeout 2063 | stdio: ['ignore', 'pipe', 'pipe'], > 2064 | env: { ...process.env, ...(spawn.env || {}) }, 2065 | }); 2066 | this.autoImplProcess = child;
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/23e8fd8ff54d7f2090aac02b6f09249858c0e22c/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.12
15 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/daemon/dev-server.ts#L1960 1958 | stdio: ['pipe', 'pipe', 'pipe'], 1959 | shell: spawn.shell ?? false, > 1960 | env: { ...process.env, ...(spawn.env || {}) }, 1961 | }); 1962 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/daemon/dev-server.ts#L2115 2113 | timeout: 900000, // 15 min timeout 2114 | stdio: ['ignore', 'pipe', 'pipe'], > 2115 | env: { ...process.env, ...(spawn.env || {}) }, 2116 | }); 2117 | this.autoImplProcess = child;
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e75cc3ce0f1a0684c0b6587a0eeda5090dbae6d9/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.11
15 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/cli-adapters/provider-cli-adapter.ts#L384 382 | rows: 40, 383 | cwd: this.workingDir, > 384 | env: { 385 | ...process.env, 386 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/commands/router.ts#L290 288 | } catch { /* ignore */ } 289 | const { spawn } = require('child_process'); > 290 | const child = spawn(process.execPath, process.argv.slice(1), { 291 | detached: true, 292 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/commands/router.ts#L293 291 | detached: true, 292 | stdio: 'ignore', > 293 | env: { ...process.env }, 294 | }); 295 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/daemon/dev-server.ts#L1012 1010 | timeout: timeout, 1011 | stdio: ['pipe', 'pipe', 'pipe'], > 1012 | env: { ...process.env, ...(spawn.env || {}) }, 1013 | }); 1014 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/daemon/dev-server.ts#L1960 1958 | stdio: ['pipe', 'pipe', 'pipe'], 1959 | shell: spawn.shell ?? false, > 1960 | env: { ...process.env, ...(spawn.env || {}) }, 1961 | }); 1962 | this.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/daemon/dev-server.ts#L2115 2113 | timeout: 900000, // 15 min timeout 2114 | stdio: ['ignore', 'pipe', 'pipe'], > 2115 | env: { ...process.env, ...(spawn.env || {}) }, 2116 | }); 2117 | this.autoImplProcess = child;
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6e09809acb5a9f260f09a99b3b30367f378f8785/src/providers/acp-provider-instance.ts#L452 450 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 451 | > 452 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 453 | 454 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.64
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.63
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.