@google/gemini-cli — Greenflagged

Gemini CLI

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

google-wombotofrobotsmrdoob

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:bundle/chunk-VXAIUB7K.js	AI (source-diff): Bundled CLI chunk with node_modules; network+exec is normal for this package's architecture.	ai	2026/06/05
source-diff	net-exec-file:bundle/chunk-GIZG2CGQ.js	AI (source-diff): Bundled CLI chunk with node_modules; network+exec is normal for this package's architecture.	ai	2026/06/05
source-diff	net-exec-file:bundle/chunk-FFUBQCSE.js	AI (source-diff): Bundled CLI chunk with node_modules; network+exec is normal for this package's architecture.	ai	2026/06/05
source-diff	net-exec-file:bundle/chunk-6HYYI5PZ.js	AI (source-diff): Bundled CLI chunk with node_modules; network+exec is normal for this package's architecture.	ai	2026/06/05
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Localhost 127.0.0.1 for local OAuth callback server; not an external IP.	ai	2026/06/05
phantom-deps	phantom-dep:ink-select-input	AI (phantom-deps): Same as ink-big-text — conditional JSX rendering not detected by static import analysis.	ai	2026/05/31
semgrep	semgrep:hex-decode	AI (semgrep): Standard crypto decrypt routine in CLI tool.	ai	2026/04/29
source-diff	net-exec-file:bundle/chunk-UHHRGNIO.js	AI (source-diff): Bundled app chunk with standard CLI logic; not a dropper.	ai	2026/04/29
source-diff	net-exec-file:bundle/chunk-SZYCJREE.js	AI (source-diff): Bundled app chunk with standard CLI logic; not a dropper.	ai	2026/04/29
source-diff	net-exec-file:bundle/chunk-FRSESBS3.js	AI (source-diff): Bundled app chunk with standard CLI logic; not a dropper.	ai	2026/04/29
source-diff	net-exec-file:bundle/chunk-F73F75XM.js	AI (source-diff): Bundled app chunk with standard CLI logic; not a dropper.	ai	2026/04/29
source-diff	net-exec-file:bundle/chunk-3OSQ5US4.js	AI (source-diff): Bundled app chunk with standard CLI logic; not a dropper.	ai	2026/04/29
publish-pattern	new-deps-added	AI (publish-pattern): All new deps are well-known OSS packages consistent with a terminal UI CLI tool; no suspicious additions.	ai	2026/04/28
source-diff	large-new-source-files	AI (source-diff): Rapidly evolving Google CLI; large file additions reflect legitimate feature growth across minor versions.	ai	2026/04/28
source-diff	source-size-dropped	AI (source-diff): Size drop explained by code split into @google/gemini-cli-core sibling package.	ai	2026/04/28
dependencies	unvetted-dep:ink-big-text	AI (dependencies): ink-big-text is a legitimate ink ecosystem UI package; expected for a CLI tool built on ink/react.	ai	2026/04/28
phantom-deps	phantom-dep:ink-big-text	AI (phantom-deps): Ink UI component for CLI splash screen; phantom detection is a false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:ink-link	AI (phantom-deps): Monorepo CLI package; ink-link likely used in subcomponents or transitively; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:mime-types	AI (phantom-deps): Declared dep in Google's official CLI; likely used in @google/gemini-cli-core or subcomponents.	ai	2026/04/28
phantom-deps	phantom-dep:ink-text-input	AI (phantom-deps): Ink UI component; stable false positive for this CLI package.	ai	2026/04/28
phantom-deps	phantom-dep:@google/gemini-cli	AI (phantom-deps): Self-referencing dep in monorepo workspace pattern; same-org scope, benign.	ai	2026/04/28
source-diff	encoded-string-file:bundle/gemini.js	AI (source-diff): undici llhttp WASM base64 blob; standard HTTP parser bundled into the CLI.	ai	2026/04/28
npm-metadata	url-dep:@google/gemini-cli-core	AI (npm-metadata): file:../core is a monorepo workspace pattern in the google-gemini/gemini-cli repo; resolved at build time and not a supply-chain risk in the published artifact.	ai	2026/04/26
phantom-deps	phantom-dep:read-package-up	AI (phantom-deps): Common in TypeScript monorepo CLIs; declared for type resolution or indirect use, not a security concern.	ai	2026/04/26
dependencies	unvetted-dep:tinygradient	AI (dependencies): tinygradient is a well-known color gradient utility used for terminal UI rendering in this CLI; no malicious signals.	ai	2026/04/26
provenance	no-provenance	AI (provenance): google-wombot is a well-established Google publisher with 2600+ days of history; absence of Sigstore provenance is not a meaningful risk signal for this package.	ai	2026/04/26
phantom-deps	phantom-dep:@types/update-notifier	AI (phantom-deps): Framework-scoped type package loaded by convention; stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:wrap-ansi	AI (phantom-deps): wrap-ansi is a standard dependency for CLI formatting; phantom-dep finding is expected for this package.	ai	2026/04/26
phantom-deps	phantom-dep:diff	AI (phantom-deps): diff is a legitimate dependency used in CLI tools; phantom-dep finding is a false positive for this package type.	ai	2026/04/26
phantom-deps	phantom-dep:color-convert	AI (phantom-deps): color-convert is a benign utility declared as a dependency; indirect usage pattern is stable for this package.	ai	2026/04/26
phantom-deps	phantom-dep:highlight.js	AI (phantom-deps): highlight.js is declared as a dependency and used indirectly via lowlight/bundling; not a security concern for this package.	ai	2026/04/26
semgrep	semgrep:base64-decode	AI (semgrep): Standard esbuild/bundler shim (__toBinaryNode) for binary asset handling; build artifact, not obfuscation.	ai	2026/04/25
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() in Proxy get trap is idiomatic JS Proxy usage, not obfuscation.	ai	2026/04/25
semgrep	semgrep:env-bulk-read	AI (semgrep): Bundled `debug` library filtering for DEBUG_ env vars; canonical pattern, stable for this package.	ai	2026/04/25
semgrep	semgrep:env-spread	AI (semgrep): CLI tool legitimately spreads process.env for sandbox/child process configuration; standard pattern for this package.	ai	2026/04/25

Versions (showing 51 of 83)

View all versions

Version	Deps	Published
0.45.1	0 / 0	2026-06-04
0.40.0	0 / 0	2026-04-28
0.39.1	0 / 0	2026-04-24
0.38.2	0 / 0	2026-04-17
0.38.1	0 / 0	2026-04-15
0.38.0	0 / 0	2026-04-14
0.37.2	0 / 0	2026-04-13
0.37.1	0 / 0	2026-04-09
0.37.0	0 / 0	2026-04-08
0.36.0	0 / 0	2026-04-01
0.35.2	40 / 12	2026-03-26
0.35.1	40 / 12	2026-03-26
0.28.0	39 / 18	2026-02-10
0.24.2	37 / 19	2026-01-16
0.22.2	36 / 19	2025-12-22
0.12.0	34 / 21	2025-11-04
0.11.3	33 / 21	2025-10-31
0.11.2	33 / 21	2025-10-31
0.11.1	33 / 21	2025-10-30
0.11.0	33 / 21	2025-10-29
0.10.0	33 / 21	2025-10-22
0.9.0	33 / 21	2025-10-15
0.8.2	32 / 21	2025-10-10
0.8.1	32 / 21	2025-10-08
0.8.0	32 / 21	2025-10-07
0.7.1	28 / 18	2025-09-19
0.7.0	29 / 18	2025-10-01
0.6.1	29 / 18	2025-09-25
0.6.0	29 / 18	2025-09-24
0.5.5	28 / 18	2025-09-20
0.5.4	27 / 18	2025-09-18
0.5.3	27 / 18	2025-09-17
0.5.1	27 / 18	2025-09-17
0.5.0	27 / 18	2025-09-17
0.4.1	27 / 18	2025-09-11
0.4.0	27 / 18	2025-09-09
0.3.4	29 / 19	2025-09-06
0.3.3	29 / 19	2025-09-06
0.3.2	29 / 19	2025-09-04
0.3.1	29 / 19	2025-09-04
0.3.0	29 / 19	2025-09-04
0.2.2	29 / 18	2025-08-28
0.2.1	29 / 18	2025-08-27
0.1.22	29 / 18	2025-08-18
0.1.21	29 / 18	2025-08-14
0.1.19	29 / 18	2025-08-12
0.1.17	27 / 17	2025-08-05
0.1.15	27 / 17	2025-07-30
0.1.14	27 / 17	2025-07-25
0.1.12	25 / 17	2025-07-13
0.1.11	25 / 17	2025-07-11

v0.45.1

5 findings

HIGH New file with network + code execution: bundle/chunk-6HYYI5PZ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: bundle/chunk-FFUBQCSE.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: bundle/chunk-GIZG2CGQ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: bundle/chunk-VXAIUB7K.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.39.1

10 findings

HIGH env-spread: bundle/gemini-APY42TPN.js:8373 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-APY42TPN.js#L8373 8371 | let proxyProcess2 = void 0; 8372 | let sandboxProcess2 = void 0; > 8373 | const sandboxEnv = { ...process.env }; 8374 | if (proxyCommand2) { 8375 | const proxy = process.env["HTTPS_PROXY"] || process.env["https_proxy"] || process.env["HTTP_PROXY"] || process.e

HIGH env-spread: bundle/gemini-APY42TPN.js:8469 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-APY42TPN.js#L8469 8467 | { 8468 | stdio: "inherit", > 8469 | env: { 8470 | ...process.env, 8471 | GEMINI_SANDBOX: command2

HIGH env-spread: bundle/gemini-ASA6UVNB.js:8357 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-ASA6UVNB.js#L8357 8355 | let proxyProcess2 = void 0; 8356 | let sandboxProcess2 = void 0; > 8357 | const sandboxEnv = { ...process.env }; 8358 | if (proxyCommand2) { 8359 | const proxy = process.env["HTTPS_PROXY"] || process.env["https_proxy"] || process.env["HTTP_PROXY"] || process.e

HIGH env-spread: bundle/gemini-ASA6UVNB.js:8453 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-ASA6UVNB.js#L8453 8451 | { 8452 | stdio: "inherit", > 8453 | env: { 8454 | ...process.env, 8455 | GEMINI_SANDBOX: command2

HIGH env-spread: bundle/gemini-JN2NUSDI.js:8373 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-JN2NUSDI.js#L8373 8371 | let proxyProcess2 = void 0; 8372 | let sandboxProcess2 = void 0; > 8373 | const sandboxEnv = { ...process.env }; 8374 | if (proxyCommand2) { 8375 | const proxy = process.env["HTTPS_PROXY"] || process.env["https_proxy"] || process.env["HTTP_PROXY"] || process.e

HIGH env-spread: bundle/gemini-JN2NUSDI.js:8469 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-JN2NUSDI.js#L8469 8467 | { 8468 | stdio: "inherit", > 8469 | env: { 8470 | ...process.env, 8471 | GEMINI_SANDBOX: command2

HIGH env-spread: bundle/gemini-ZVQNZBQE.js:8373 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-ZVQNZBQE.js#L8373 8371 | let proxyProcess2 = void 0; 8372 | let sandboxProcess2 = void 0; > 8373 | const sandboxEnv = { ...process.env }; 8374 | if (proxyCommand2) { 8375 | const proxy = process.env["HTTPS_PROXY"] || process.env["https_proxy"] || process.env["HTTP_PROXY"] || process.e

HIGH env-spread: bundle/gemini-ZVQNZBQE.js:8469 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini-ZVQNZBQE.js#L8469 8467 | { 8468 | stdio: "inherit", > 8469 | env: { 8470 | ...process.env, 8471 | GEMINI_SANDBOX: command2

HIGH env-spread: bundle/gemini.js:55 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/google-gemini/gemini-cli/blob/4d73f3413949ae5c638804c5eac27a9bcd0567ca/bundle/gemini.js#L55 53 | nodeArgs.push(script); 54 | nodeArgs.push(...scriptArgs); > 55 | const newEnv = { ...process.env, GEMINI_CLI_NO_RELAUNCH: "true" }; 56 | const RELAUNCH_EXIT_CODE = 199; 57 | let latestAdminSettings = void 0;