@adhdev/daemon-core
ADHDev daemon core — CDP, IDE detection, providers, command execution
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Spawns process.execPath with process.argv.slice(1) — a self-restart/daemon pattern, not a reverse shell or miner. Stable for this daemon tooling package. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same self-restart pattern as silent-process-exec; detached spawn of the same Node process is a standard daemon restart idiom. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into child process spawn config is standard for CLI tools that need to pass the current environment to subprocesses. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IP references are 127.0.0.1 (localhost) for CDP protocol communication — expected behavior for a local browser debugger integration. | ai | |
| semgrep | semgrep:http-module-request | AI (semgrep): HTTP requests target 127.0.0.1 for CDP version endpoint — standard local CDP usage, not telemetry or exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of CDP protocol response data (e.g., screenshots) is standard CDP usage. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in validate.js loads provider plugin files for validation — a legitimate plugin loader pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used to run 'which' to check command availability — standard CLI tool pattern. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common (~88% of npm packages); not a disqualifier on its own for this package. | ai |
Versions (showing 100 of 346)
| Version | Deps | Published |
|---|---|---|
| 0.8.84 | 8 / 5 | |
| 0.8.83 | 8 / 5 | |
| 0.8.82 | 8 / 5 | |
| 0.8.81 | 8 / 5 | |
| 0.8.80 | 8 / 5 | |
| 0.8.79 | 8 / 5 | |
| 0.8.78 | 8 / 5 | |
| 0.8.77 | 8 / 5 | |
| 0.8.76 | 8 / 5 | |
| 0.8.75 | 8 / 5 | |
| 0.8.74 | 8 / 5 | |
| 0.8.73 | 8 / 5 | |
| 0.8.72 | 8 / 5 | |
| 0.8.71 | 8 / 5 | |
| 0.8.70 | 8 / 5 | |
| 0.8.69 | 8 / 5 | |
| 0.8.68 | 8 / 5 | |
| 0.8.67 | 8 / 5 | |
| 0.8.66 | 8 / 5 | |
| 0.8.65 | 8 / 5 | |
| 0.8.64 | 8 / 5 | |
| 0.8.63 | 8 / 5 | |
| 0.8.62 | 8 / 5 | |
| 0.8.61 | 8 / 5 | |
| 0.8.60 | 8 / 5 | |
| 0.8.59 | 8 / 5 | |
| 0.8.58 | 8 / 5 | |
| 0.8.57 | 8 / 5 | |
| 0.8.56 | 8 / 5 | |
| 0.8.55 | 8 / 5 | |
| 0.8.54 | 8 / 5 | |
| 0.8.53 | 8 / 5 | |
| 0.8.52 | 8 / 5 | |
| 0.8.51 | 8 / 5 | |
| 0.8.50 | 8 / 5 | |
| 0.8.49 | 8 / 5 | |
| 0.8.48 | 8 / 5 | |
| 0.8.47 | 8 / 5 | |
| 0.8.46 | 8 / 5 | |
| 0.8.45 | 8 / 5 | |
| 0.8.44 | 8 / 5 | |
| 0.8.43 | 8 / 5 | |
| 0.8.42 | 8 / 5 | |
| 0.8.41 | 8 / 5 | |
| 0.8.40 | 8 / 5 | |
| 0.8.39 | 8 / 5 | |
| 0.8.38 | 8 / 5 | |
| 0.8.37 | 8 / 5 | |
| 0.8.36 | 8 / 5 | |
| 0.8.35 | 8 / 5 | |
| 0.8.34 | 8 / 5 | |
| 0.8.33 | 8 / 5 | |
| 0.8.32 | 8 / 5 | |
| 0.8.31 | 8 / 5 | |
| 0.8.30 | 8 / 5 | |
| 0.8.29 | 8 / 5 | |
| 0.8.28 | 8 / 5 | |
| 0.8.27 | 8 / 5 | |
| 0.8.25 | 8 / 5 | |
| 0.8.24 | 8 / 5 | |
| 0.8.23 | 8 / 5 | |
| 0.8.22 | 8 / 4 | |
| 0.8.21 | 8 / 4 | |
| 0.8.20 | 8 / 4 | |
| 0.8.19 | 8 / 4 | |
| 0.8.18 | 8 / 4 | |
| 0.8.17 | 8 / 4 | |
| 0.8.16 | 8 / 4 | |
| 0.8.15 | 8 / 4 | |
| 0.8.14 | 8 / 4 | |
| 0.8.13 | 8 / 4 | |
| 0.8.12 | 8 / 4 | |
| 0.8.11 | 8 / 4 | |
| 0.8.10 | 8 / 4 | |
| 0.8.9 | 8 / 4 | |
| 0.8.8 | 8 / 4 | |
| 0.8.7 | 8 / 4 | |
| 0.8.6 | 8 / 4 | |
| 0.8.5 | 8 / 4 | |
| 0.8.4 | 8 / 4 | |
| 0.8.3 | 8 / 4 | |
| 0.8.2 | 8 / 4 | |
| 0.8.1 | 8 / 4 | |
| 0.8.0 | 8 / 4 | |
| 0.7.46 | 8 / 4 | |
| 0.7.45 | 8 / 4 | |
| 0.7.44 | 8 / 4 | |
| 0.7.43 | 8 / 4 | |
| 0.7.42 | 8 / 4 | |
| 0.7.41 | 8 / 4 | |
| 0.7.40 | 8 / 4 | |
| 0.7.39 | 8 / 4 | |
| 0.7.38 | 8 / 4 | |
| 0.7.37 | 8 / 4 | |
| 0.7.36 | 8 / 4 | |
| 0.7.35 | 8 / 4 | |
| 0.7.33 | 8 / 4 | |
| 0.7.31 | 8 / 4 | |
| 0.7.30 | 8 / 4 | |
| 0.7.29 | 8 / 4 |
v0.8.84
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.83
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.82
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.81
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.80
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.79
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.78
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.77
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.76
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.75
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.74
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.73
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.72
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.71
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.70
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.69
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.68
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.67
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.66
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.65
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.64
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.63
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.62
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.61
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.60
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.59
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.58
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.57
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.53
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.51
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.50
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.49
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.25
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/launch.ts#L434 432 | if (!useAppLauncher && ide.cliCommand) { 433 | // CLI based execute > 434 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 435 | } else if (appName) { 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it.
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/launch.ts#L434 432 | if (!useAppLauncher && ide.cliCommand) { 433 | // CLI based execute > 434 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 435 | } else if (appName) { 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it.
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/launch.ts#L438 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it. 437 | const openArgs = ['-a', appName, '--args', ...args]; > 438 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 439 | } else { 440 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/launch.ts#L438 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it. 437 | const openArgs = ['-a', appName, '--args', ...args]; > 438 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 439 | } else { 440 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/launch.ts#L474 472 | if (workspace) args.push(workspace); 473 | > 474 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 475 | } 476 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/launch.ts#L474 472 | if (workspace) args.push(workspace); 473 | > 474 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 475 | } 476 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/446399098ff99cc9e055a9027f7366310fbb2f0a/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.24
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/launch.ts#L434 432 | if (!useAppLauncher && ide.cliCommand) { 433 | // CLI based execute > 434 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 435 | } else if (appName) { 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it.
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/launch.ts#L434 432 | if (!useAppLauncher && ide.cliCommand) { 433 | // CLI based execute > 434 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 435 | } else if (appName) { 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it.
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/launch.ts#L438 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it. 437 | const openArgs = ['-a', appName, '--args', ...args]; > 438 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 439 | } else { 440 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/launch.ts#L438 436 | // Fallback to `open -a` when no CLI wrapper is available or the provider prefers it. 437 | const openArgs = ['-a', appName, '--args', ...args]; > 438 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 439 | } else { 440 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/launch.ts#L474 472 | if (workspace) args.push(workspace); 473 | > 474 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 475 | } 476 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/launch.ts#L474 472 | if (workspace) args.push(workspace); 473 | > 474 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 475 | } 476 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdbbb85e4bedf71d64bfe333b00a4093280209df/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.22
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f05a899379c39c9bcc08b10fba44a2d4efe14fb3/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.21
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d28b86750e79f97db70f8e44e734ce7fb54769ce/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.20
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/ed6dec9425779f14a4df39439dcbbda08aa6cbd8/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.19
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/efb0a144189deae9a2a80cf0a40223934f678e7b/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.18
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/commands/upgrade-helper.ts#L200 198 | 199 | if (restartArgv.length > 0) { > 200 | const env = { ...process.env }; 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/commands/upgrade-helper.ts#L203 201 | delete env[UPGRADE_HELPER_ENV]; 202 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 203 | const child = spawn(process.execPath, restartArgv, { 204 | detached: true, 205 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/375346a205ee4ad25dd9f0d3267e1a0024baffaf/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.17
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/commands/upgrade-helper.ts#L191 189 | 190 | if (restartArgv.length > 0) { > 191 | const env = { ...process.env }; 192 | delete env[UPGRADE_HELPER_ENV]; 193 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/commands/upgrade-helper.ts#L194 192 | delete env[UPGRADE_HELPER_ENV]; 193 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 194 | const child = spawn(process.execPath, restartArgv, { 195 | detached: true, 196 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/commands/upgrade-helper.ts#L194 192 | delete env[UPGRADE_HELPER_ENV]; 193 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 194 | const child = spawn(process.execPath, restartArgv, { 195 | detached: true, 196 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/9acb33cf47547f0772ae9315e335c02469423014/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.16
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/commands/upgrade-helper.ts#L149 147 | 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/commands/upgrade-helper.ts#L150 148 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 149 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 150 | const child = spawn(process.execPath, process.argv.slice(1), { 151 | detached: true, 152 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/commands/upgrade-helper.ts#L191 189 | 190 | if (restartArgv.length > 0) { > 191 | const env = { ...process.env }; 192 | delete env[UPGRADE_HELPER_ENV]; 193 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/commands/upgrade-helper.ts#L194 192 | delete env[UPGRADE_HELPER_ENV]; 193 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 194 | const child = spawn(process.execPath, restartArgv, { 195 | detached: true, 196 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/commands/upgrade-helper.ts#L194 192 | delete env[UPGRADE_HELPER_ENV]; 193 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 194 | const child = spawn(process.execPath, restartArgv, { 195 | detached: true, 196 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/daemon/dev-auto-implement.ts#L317 315 | stdio: ['pipe', 'pipe', 'pipe'], 316 | shell: spawn.shell ?? false, > 317 | env: { ...process.env, ...(spawn.env || {}) }, 318 | }); 319 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/daemon/dev-auto-implement.ts#L489 487 | rows: 40, 488 | cwd: providerDir, > 489 | env: { ...process.env, ...(spawn.env || {}) }, 490 | }); 491 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/daemon/dev-auto-implement.ts#L499 497 | timeout: 900000, 498 | stdio: ['pipe', 'pipe', 'pipe'], > 499 | env: { 500 | ...process.env, 501 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/bbb6a90829d7845de0cdada987606c4dfc42839c/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.15
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cdd2793478fb6a2ac7c1bb57e1f11775e1e34a2f/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.14
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1eff82911d5257d9450c54f8aaf057b8de68cc0c/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.13
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6a721b479c2f7cc37e4a271c06b7e90af76b1963/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.12
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e3ba5b831d7dfcc80de29f431e6b9cf9b40ef3e2/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.11
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7c6a697d8ab6e04bb9c1cfdc632c6bb1a9946af9/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.10
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b9e2a6afba4beecf481b5123f39e55bc7b9f57d/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.9
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/eec64c63c29c5917818ba9822c213b9285aad75c/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.8
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/a8857bd08a89cdc33c4fad200f45f30ed0620223/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.7
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/8b926c278dd1407178dd950b8e7964a8190e4fc3/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.6
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/dc359c9d9ac1aa907867fe165cfa8216993ce33d/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.5
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f02902a1240d6cbadd6709eb0ed3487496b5fd5b/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.4
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/6d925a2c8b2da29ac1d1ba45ed187a34cb985624/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.3
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/d929b163f2a18b26044a0107d45f24f34e019280/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/62b46d2b63c600ccefb1efdd1c875bf2feb201d5/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/badf55ed86ea2fee78304147e8c5d7f3389b46bd/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/daemon/dev-auto-implement.ts#L316 314 | stdio: ['pipe', 'pipe', 'pipe'], 315 | shell: spawn.shell ?? false, > 316 | env: { ...process.env, ...(spawn.env || {}) }, 317 | }); 318 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/daemon/dev-auto-implement.ts#L488 486 | rows: 40, 487 | cwd: providerDir, > 488 | env: { ...process.env, ...(spawn.env || {}) }, 489 | }); 490 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/daemon/dev-auto-implement.ts#L498 496 | timeout: 900000, 497 | stdio: ['pipe', 'pipe', 'pipe'], > 498 | env: { 499 | ...process.env, 500 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/daemon/dev-server.ts#L815 813 | timeout: timeout, 814 | stdio: ['pipe', 'pipe', 'pipe'], > 815 | env: { ...process.env, ...(spawn.env || {}) }, 816 | }); 817 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c4a31a14c095b63920f5352ce7ba8532c851d0d6/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.46
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/e9cbfa6213eeb281b1d1673bfd8d379c8e16f2b3/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.45
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/c0b73ab411e482df8de9d64d97295493472807e7/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.44
18 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/commands/upgrade-helper.ts#L144 142 | 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { > 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/commands/upgrade-helper.ts#L145 143 | export function spawnDetachedDaemonUpgradeHelper(payload: DaemonUpgradeHelperPayload): void { 144 | const env = { ...process.env, [UPGRADE_HELPER_ENV]: JSON.stringify(payload) }; > 145 | const child = spawn(process.execPath, process.argv.slice(1), { 146 | detached: true, 147 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/commands/upgrade-helper.ts#L185 183 | 184 | if (restartArgv.length > 0) { > 185 | const env = { ...process.env }; 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/commands/upgrade-helper.ts#L188 186 | delete env[UPGRADE_HELPER_ENV]; 187 | appendUpgradeLog(`Restarting daemon with args: ${restartArgv.join(' ')}`); > 188 | const child = spawn(process.execPath, restartArgv, { 189 | detached: true, 190 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/449d4806a8666afaa6b32408ef4f452cdb3074da/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.43
15 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/commands/router.ts#L338 336 | } catch { /* ignore */ } 337 | const { spawn } = require('child_process'); > 338 | const child = spawn(process.execPath, process.argv.slice(1), { 339 | detached: true, 340 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/commands/router.ts#L338 336 | } catch { /* ignore */ } 337 | const { spawn } = require('child_process'); > 338 | const child = spawn(process.execPath, process.argv.slice(1), { 339 | detached: true, 340 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/commands/router.ts#L341 339 | detached: true, 340 | stdio: 'ignore', > 341 | env: { ...process.env }, 342 | }); 343 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7a6088d28c23b315053df321bdd00548b1d99cab/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.42
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/cli-adapters/provider-cli-adapter.ts#L629 627 | rows: 40, 628 | cwd: this.workingDir, > 629 | env: { 630 | ...process.env, 631 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/commands/router.ts#L338 336 | } catch { /* ignore */ } 337 | const { spawn } = require('child_process'); > 338 | const child = spawn(process.execPath, process.argv.slice(1), { 339 | detached: true, 340 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/commands/router.ts#L338 336 | } catch { /* ignore */ } 337 | const { spawn } = require('child_process'); > 338 | const child = spawn(process.execPath, process.argv.slice(1), { 339 | detached: true, 340 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/commands/router.ts#L341 339 | detached: true, 340 | stdio: 'ignore', > 341 | env: { ...process.env }, 342 | }); 343 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/7e4230dd8776a66c29f3a9b376ca22f4ef576af3/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.41
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/commands/router.ts#L337 335 | } catch { /* ignore */ } 336 | const { spawn } = require('child_process'); > 337 | const child = spawn(process.execPath, process.argv.slice(1), { 338 | detached: true, 339 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/commands/router.ts#L337 335 | } catch { /* ignore */ } 336 | const { spawn } = require('child_process'); > 337 | const child = spawn(process.execPath, process.argv.slice(1), { 338 | detached: true, 339 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/commands/router.ts#L340 338 | detached: true, 339 | stdio: 'ignore', > 340 | env: { ...process.env }, 341 | }); 342 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95d111333caf337e4ae999a76b3ad24eb1e9af44/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.40
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/commands/router.ts#L337 335 | } catch { /* ignore */ } 336 | const { spawn } = require('child_process'); > 337 | const child = spawn(process.execPath, process.argv.slice(1), { 338 | detached: true, 339 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/commands/router.ts#L337 335 | } catch { /* ignore */ } 336 | const { spawn } = require('child_process'); > 337 | const child = spawn(process.execPath, process.argv.slice(1), { 338 | detached: true, 339 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/commands/router.ts#L340 338 | detached: true, 339 | stdio: 'ignore', > 340 | env: { ...process.env }, 341 | }); 342 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1b63af83164867abda581d7081b0a55ee7bb3fd6/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.39
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/commands/router.ts#L327 325 | } catch { /* ignore */ } 326 | const { spawn } = require('child_process'); > 327 | const child = spawn(process.execPath, process.argv.slice(1), { 328 | detached: true, 329 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/commands/router.ts#L327 325 | } catch { /* ignore */ } 326 | const { spawn } = require('child_process'); > 327 | const child = spawn(process.execPath, process.argv.slice(1), { 328 | detached: true, 329 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/commands/router.ts#L330 328 | detached: true, 329 | stdio: 'ignore', > 330 | env: { ...process.env }, 331 | }); 332 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/b8a7e629f49dfacde52e062cb54f4e7c99b8a05d/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.38
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/commands/router.ts#L344 342 | } catch { /* ignore */ } 343 | const { spawn } = require('child_process'); > 344 | const child = spawn(process.execPath, process.argv.slice(1), { 345 | detached: true, 346 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/commands/router.ts#L344 342 | } catch { /* ignore */ } 343 | const { spawn } = require('child_process'); > 344 | const child = spawn(process.execPath, process.argv.slice(1), { 345 | detached: true, 346 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/commands/router.ts#L347 345 | detached: true, 346 | stdio: 'ignore', > 347 | env: { ...process.env }, 348 | }); 349 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/3642f7cc358eeba6c27d1f98865dcbd4d190795e/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.37
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/commands/router.ts#L344 342 | } catch { /* ignore */ } 343 | const { spawn } = require('child_process'); > 344 | const child = spawn(process.execPath, process.argv.slice(1), { 345 | detached: true, 346 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/commands/router.ts#L344 342 | } catch { /* ignore */ } 343 | const { spawn } = require('child_process'); > 344 | const child = spawn(process.execPath, process.argv.slice(1), { 345 | detached: true, 346 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/commands/router.ts#L347 345 | detached: true, 346 | stdio: 'ignore', > 347 | env: { ...process.env }, 348 | }); 349 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/cfea905717961db4ae8262658c315f2aa5fa45ec/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.36
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/commands/router.ts#L344 342 | } catch { /* ignore */ } 343 | const { spawn } = require('child_process'); > 344 | const child = spawn(process.execPath, process.argv.slice(1), { 345 | detached: true, 346 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/commands/router.ts#L344 342 | } catch { /* ignore */ } 343 | const { spawn } = require('child_process'); > 344 | const child = spawn(process.execPath, process.argv.slice(1), { 345 | detached: true, 346 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/commands/router.ts#L347 345 | detached: true, 346 | stdio: 'ignore', > 347 | env: { ...process.env }, 348 | }); 349 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/398f56e509025f15c3faf946529a8dc32150c143/src/providers/acp-provider-instance.ts#L461 459 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 460 | > 461 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 462 | 463 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.35
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/f8ca69fd65e06debc9a1d557fa946bd0781d8327/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.33
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/cli-adapters/provider-cli-adapter.ts#L617 615 | rows: 40, 616 | cwd: this.workingDir, > 617 | env: { 618 | ...process.env, 619 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/1928a9e33c7f71b8750c129957ad2706615651c5/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.31
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/2b3bcd36ad42ef997b8a3c94c27c39be276d9a59/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.30
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/48e93ef0ca80157220bea528c8e0cfee58fb5432/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.29
16 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/cli-adapters/provider-cli-adapter.ts#L609 607 | rows: 40, 608 | cwd: this.workingDir, > 609 | env: { 610 | ...process.env, 611 | ...spawnConfig.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/commands/router.ts#L301 299 | } catch { /* ignore */ } 300 | const { spawn } = require('child_process'); > 301 | const child = spawn(process.execPath, process.argv.slice(1), { 302 | detached: true, 303 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/commands/router.ts#L304 302 | detached: true, 303 | stdio: 'ignore', > 304 | env: { ...process.env }, 305 | }); 306 | child.unref();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/daemon/dev-auto-implement.ts#L214 212 | stdio: ['pipe', 'pipe', 'pipe'], 213 | shell: spawn.shell ?? false, > 214 | env: { ...process.env, ...(spawn.env || {}) }, 215 | }); 216 | ctx.autoImplProcess = child;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/daemon/dev-auto-implement.ts#L385 383 | rows: 40, 384 | cwd: providerDir, > 385 | env: { ...process.env, ...(spawn.env || {}) }, 386 | }); 387 | isPty = true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/daemon/dev-auto-implement.ts#L395 393 | timeout: 900000, 394 | stdio: ['pipe', 'pipe', 'pipe'], > 395 | env: { 396 | ...process.env, 397 | ...(spawn.env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/daemon/dev-server.ts#L810 808 | timeout: timeout, 809 | stdio: ['pipe', 'pipe', 'pipe'], > 810 | env: { ...process.env, ...(spawn.env || {}) }, 811 | }); 812 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/launch.ts#L389 387 | // 'open -a' execution (ensures GUI session) 388 | const openArgs = ['-a', appName, '--args', ...args]; > 389 | spawn('open', openArgs, { detached: true, stdio: 'ignore' }).unref(); 390 | } else if (ide.cliCommand) { 391 | // CLI based execute
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/launch.ts#L392 390 | } else if (ide.cliCommand) { 391 | // CLI based execute > 392 | spawn(ide.cliCommand, args, { detached: true, stdio: 'ignore' }).unref(); 393 | } else { 394 | throw new Error(`No app identifier or CLI for ${ide.displayName}`);
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/launch.ts#L428 426 | if (workspace) args.push(workspace); 427 | > 428 | spawn(cli, args, { detached: true, stdio: 'ignore' }).unref(); 429 | } 430 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vilmire/adhdev/blob/95eebd843a87a521d19b9c29ae912214de2f4136/src/providers/acp-provider-instance.ts#L456 454 | // ADHDev does NOT inject API keys — tools read their own env vars or config files. 455 | > 456 | const env = { ...process.env, ...(spawnConfig.env || {}) }; 457 | 458 | this.log.info(`[${this.type}] Spawning: ${command} ${args.join(' ')} in ${this.workingDir}`);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.