@leeguoo/blog-publish
Personal MisoNote blog publishing CLI for login, publish, update, download, backup, and asset workflows
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Fires on openBrowser() using macOS `open` command with detached stdio — standard CLI browser-launch pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same openBrowser() call site as silent-process-exec; stable false positive for this CLI package. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 (localhost OAuth callback); not an external endpoint. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 0.1.16 | 2 / 0 | |
| 0.1.15 | 2 / 0 | |
| 0.1.14 | 0 / 0 | |
| 0.1.13 | 0 / 0 | |
| 0.1.12 | 0 / 0 | |
| 0.1.11 | 0 / 0 | |
| 0.1.10 | 0 / 0 | |
| 0.1.9 | 0 / 0 | |
| 0.1.8 | 0 / 0 | |
| 0.1.7 | 0 / 0 | |
| 0.1.6 | 0 / 0 | |
| 0.1.5 | 0 / 0 | |
| 0.1.4 | 0 / 0 | |
| 0.1.3 | 0 / 0 | |
| 0.1.0 | 0 / 0 |
v0.1.16
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/434e2cb9baabf713d885f22d9608dd25374ac867/lib/core.mjs#L560 558 | export function openBrowser(url) { 559 | if (process.platform === 'darwin') { > 560 | const child = spawn('open', [url], { 561 | detached: true, 562 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/434e2cb9baabf713d885f22d9608dd25374ac867/lib/core.mjs#L560 558 | export function openBrowser(url) { 559 | if (process.platform === 'darwin') { > 560 | const child = spawn('open', [url], { 561 | detached: true, 562 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/434e2cb9baabf713d885f22d9608dd25374ac867/lib/core.mjs#L569 567 | 568 | if (process.platform === 'win32') { > 569 | const child = spawn('cmd', ['/c', 'start', '', url], { 570 | detached: true, 571 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/434e2cb9baabf713d885f22d9608dd25374ac867/lib/core.mjs#L569 567 | 568 | if (process.platform === 'win32') { > 569 | const child = spawn('cmd', ['/c', 'start', '', url], { 570 | detached: true, 571 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/434e2cb9baabf713d885f22d9608dd25374ac867/lib/core.mjs#L582 580 | } 581 | const args = command === 'gio' ? ['open', url] : [url] > 582 | const child = spawn(command, args, { 583 | detached: true, 584 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/434e2cb9baabf713d885f22d9608dd25374ac867/lib/core.mjs#L582 580 | } 581 | const args = command === 'gio' ? ['open', url] : [url] > 582 | const child = spawn(command, args, { 583 | detached: true, 584 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.15
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/026f682b8d11c850d52dd0949e361f1e368376b6/lib/core.mjs#L560 558 | export function openBrowser(url) { 559 | if (process.platform === 'darwin') { > 560 | const child = spawn('open', [url], { 561 | detached: true, 562 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/026f682b8d11c850d52dd0949e361f1e368376b6/lib/core.mjs#L560 558 | export function openBrowser(url) { 559 | if (process.platform === 'darwin') { > 560 | const child = spawn('open', [url], { 561 | detached: true, 562 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/026f682b8d11c850d52dd0949e361f1e368376b6/lib/core.mjs#L569 567 | 568 | if (process.platform === 'win32') { > 569 | const child = spawn('cmd', ['/c', 'start', '', url], { 570 | detached: true, 571 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/026f682b8d11c850d52dd0949e361f1e368376b6/lib/core.mjs#L569 567 | 568 | if (process.platform === 'win32') { > 569 | const child = spawn('cmd', ['/c', 'start', '', url], { 570 | detached: true, 571 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/026f682b8d11c850d52dd0949e361f1e368376b6/lib/core.mjs#L582 580 | } 581 | const args = command === 'gio' ? ['open', url] : [url] > 582 | const child = spawn(command, args, { 583 | detached: true, 584 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/026f682b8d11c850d52dd0949e361f1e368376b6/lib/core.mjs#L582 580 | } 581 | const args = command === 'gio' ? ['open', url] : [url] > 582 | const child = spawn(command, args, { 583 | detached: true, 584 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.14
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/286555d34dd8705c1246ada4ca6209e370f279ea/lib/core.mjs#L558 556 | export function openBrowser(url) { 557 | if (process.platform === 'darwin') { > 558 | const child = spawn('open', [url], { 559 | detached: true, 560 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/286555d34dd8705c1246ada4ca6209e370f279ea/lib/core.mjs#L558 556 | export function openBrowser(url) { 557 | if (process.platform === 'darwin') { > 558 | const child = spawn('open', [url], { 559 | detached: true, 560 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/286555d34dd8705c1246ada4ca6209e370f279ea/lib/core.mjs#L567 565 | 566 | if (process.platform === 'win32') { > 567 | const child = spawn('cmd', ['/c', 'start', '', url], { 568 | detached: true, 569 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/286555d34dd8705c1246ada4ca6209e370f279ea/lib/core.mjs#L567 565 | 566 | if (process.platform === 'win32') { > 567 | const child = spawn('cmd', ['/c', 'start', '', url], { 568 | detached: true, 569 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/286555d34dd8705c1246ada4ca6209e370f279ea/lib/core.mjs#L580 578 | } 579 | const args = command === 'gio' ? ['open', url] : [url] > 580 | const child = spawn(command, args, { 581 | detached: true, 582 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/286555d34dd8705c1246ada4ca6209e370f279ea/lib/core.mjs#L580 578 | } 579 | const args = command === 'gio' ? ['open', url] : [url] > 580 | const child = spawn(command, args, { 581 | detached: true, 582 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.13
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/6c1a2e21d14f8c24edeff1fd727ccb8ad039bb96/lib/core.mjs#L555 553 | export function openBrowser(url) { 554 | if (process.platform === 'darwin') { > 555 | const child = spawn('open', [url], { 556 | detached: true, 557 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/6c1a2e21d14f8c24edeff1fd727ccb8ad039bb96/lib/core.mjs#L555 553 | export function openBrowser(url) { 554 | if (process.platform === 'darwin') { > 555 | const child = spawn('open', [url], { 556 | detached: true, 557 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/6c1a2e21d14f8c24edeff1fd727ccb8ad039bb96/lib/core.mjs#L564 562 | 563 | if (process.platform === 'win32') { > 564 | const child = spawn('cmd', ['/c', 'start', '', url], { 565 | detached: true, 566 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/6c1a2e21d14f8c24edeff1fd727ccb8ad039bb96/lib/core.mjs#L564 562 | 563 | if (process.platform === 'win32') { > 564 | const child = spawn('cmd', ['/c', 'start', '', url], { 565 | detached: true, 566 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/6c1a2e21d14f8c24edeff1fd727ccb8ad039bb96/lib/core.mjs#L577 575 | } 576 | const args = command === 'gio' ? ['open', url] : [url] > 577 | const child = spawn(command, args, { 578 | detached: true, 579 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/6c1a2e21d14f8c24edeff1fd727ccb8ad039bb96/lib/core.mjs#L577 575 | } 576 | const args = command === 'gio' ? ['open', url] : [url] > 577 | const child = spawn(command, args, { 578 | detached: true, 579 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.11
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 550 | export function openBrowser(url) { 551 | if (process.platform === 'darwin') { > 552 | const child = spawn('open', [url], { 553 | detached: true, 554 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 550 | export function openBrowser(url) { 551 | if (process.platform === 'darwin') { > 552 | const child = spawn('open', [url], { 553 | detached: true, 554 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 559 | 560 | if (process.platform === 'win32') { > 561 | const child = spawn('cmd', ['/c', 'start', '', url], { 562 | detached: true, 563 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 559 | 560 | if (process.platform === 'win32') { > 561 | const child = spawn('cmd', ['/c', 'start', '', url], { 562 | detached: true, 563 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 572 | } 573 | const args = command === 'gio' ? ['open', url] : [url] > 574 | const child = spawn(command, args, { 575 | detached: true, 576 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 572 | } 573 | const args = command === 'gio' ? ['open', url] : [url] > 574 | const child = spawn(command, args, { 575 | detached: true, 576 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.10
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 548 | export function openBrowser(url) { 549 | if (process.platform === 'darwin') { > 550 | const child = spawn('open', [url], { 551 | detached: true, 552 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 548 | export function openBrowser(url) { 549 | if (process.platform === 'darwin') { > 550 | const child = spawn('open', [url], { 551 | detached: true, 552 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 557 | 558 | if (process.platform === 'win32') { > 559 | const child = spawn('cmd', ['/c', 'start', '', url], { 560 | detached: true, 561 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 557 | 558 | if (process.platform === 'win32') { > 559 | const child = spawn('cmd', ['/c', 'start', '', url], { 560 | detached: true, 561 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 570 | } 571 | const args = command === 'gio' ? ['open', url] : [url] > 572 | const child = spawn(command, args, { 573 | detached: true, 574 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 570 | } 571 | const args = command === 'gio' ? ['open', url] : [url] > 572 | const child = spawn(command, args, { 573 | detached: true, 574 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/44b2d319e78a449acfa7f3b32709cab3666ba85b/lib/core.mjs#L545 543 | export function openBrowser(url) { 544 | if (process.platform === 'darwin') { > 545 | const child = spawn('open', [url], { 546 | detached: true, 547 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/44b2d319e78a449acfa7f3b32709cab3666ba85b/lib/core.mjs#L545 543 | export function openBrowser(url) { 544 | if (process.platform === 'darwin') { > 545 | const child = spawn('open', [url], { 546 | detached: true, 547 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/44b2d319e78a449acfa7f3b32709cab3666ba85b/lib/core.mjs#L554 552 | 553 | if (process.platform === 'win32') { > 554 | const child = spawn('cmd', ['/c', 'start', '', url], { 555 | detached: true, 556 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/44b2d319e78a449acfa7f3b32709cab3666ba85b/lib/core.mjs#L554 552 | 553 | if (process.platform === 'win32') { > 554 | const child = spawn('cmd', ['/c', 'start', '', url], { 555 | detached: true, 556 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/44b2d319e78a449acfa7f3b32709cab3666ba85b/lib/core.mjs#L567 565 | } 566 | const args = command === 'gio' ? ['open', url] : [url] > 567 | const child = spawn(command, args, { 568 | detached: true, 569 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/leeguooooo/blog/blob/44b2d319e78a449acfa7f3b32709cab3666ba85b/lib/core.mjs#L567 565 | } 566 | const args = command === 'gio' ? ['open', url] : [url] > 567 | const child = spawn(command, args, { 568 | detached: true, 569 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 547 | function openBrowser(url) { 548 | if (process.platform === 'darwin') { > 549 | const child = spawn('open', [url], { 550 | detached: true, 551 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 547 | function openBrowser(url) { 548 | if (process.platform === 'darwin') { > 549 | const child = spawn('open', [url], { 550 | detached: true, 551 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 556 | 557 | if (process.platform === 'win32') { > 558 | const child = spawn('cmd', ['/c', 'start', '', url], { 559 | detached: true, 560 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 556 | 557 | if (process.platform === 'win32') { > 558 | const child = spawn('cmd', ['/c', 'start', '', url], { 559 | detached: true, 560 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 565 | 566 | if (hasCommand('xdg-open')) { > 567 | const child = spawn('xdg-open', [url], { 568 | detached: true, 569 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 565 | 566 | if (hasCommand('xdg-open')) { > 567 | const child = spawn('xdg-open', [url], { 568 | detached: true, 569 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.7
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 546 | function openBrowser(url) { 547 | if (process.platform === 'darwin') { > 548 | const child = spawn('open', [url], { 549 | detached: true, 550 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 546 | function openBrowser(url) { 547 | if (process.platform === 'darwin') { > 548 | const child = spawn('open', [url], { 549 | detached: true, 550 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 555 | 556 | if (process.platform === 'win32') { > 557 | const child = spawn('cmd', ['/c', 'start', '', url], { 558 | detached: true, 559 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 555 | 556 | if (process.platform === 'win32') { > 557 | const child = spawn('cmd', ['/c', 'start', '', url], { 558 | detached: true, 559 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 564 | 565 | if (hasCommand('xdg-open')) { > 566 | const child = spawn('xdg-open', [url], { 567 | detached: true, 568 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 564 | 565 | if (hasCommand('xdg-open')) { > 566 | const child = spawn('xdg-open', [url], { 567 | detached: true, 568 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 540 | function openBrowser(url) { 541 | if (process.platform === 'darwin') { > 542 | const child = spawn('open', [url], { 543 | detached: true, 544 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 540 | function openBrowser(url) { 541 | if (process.platform === 'darwin') { > 542 | const child = spawn('open', [url], { 543 | detached: true, 544 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 549 | 550 | if (process.platform === 'win32') { > 551 | const child = spawn('cmd', ['/c', 'start', '', url], { 552 | detached: true, 553 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 549 | 550 | if (process.platform === 'win32') { > 551 | const child = spawn('cmd', ['/c', 'start', '', url], { 552 | detached: true, 553 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 558 | 559 | if (hasCommand('xdg-open')) { > 560 | const child = spawn('xdg-open', [url], { 561 | detached: true, 562 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 558 | 559 | if (hasCommand('xdg-open')) { > 560 | const child = spawn('xdg-open', [url], { 561 | detached: true, 562 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 539 | function openBrowser(url) { 540 | if (process.platform === 'darwin') { > 541 | const child = spawn('open', [url], { 542 | detached: true, 543 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 539 | function openBrowser(url) { 540 | if (process.platform === 'darwin') { > 541 | const child = spawn('open', [url], { 542 | detached: true, 543 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 548 | 549 | if (process.platform === 'win32') { > 550 | const child = spawn('cmd', ['/c', 'start', '', url], { 551 | detached: true, 552 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 548 | 549 | if (process.platform === 'win32') { > 550 | const child = spawn('cmd', ['/c', 'start', '', url], { 551 | detached: true, 552 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 557 | 558 | if (hasCommand('xdg-open')) { > 559 | const child = spawn('xdg-open', [url], { 560 | detached: true, 561 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 557 | 558 | if (hasCommand('xdg-open')) { > 559 | const child = spawn('xdg-open', [url], { 560 | detached: true, 561 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 539 | function openBrowser(url) { 540 | if (process.platform === 'darwin') { > 541 | const child = spawn('open', [url], { 542 | detached: true, 543 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 539 | function openBrowser(url) { 540 | if (process.platform === 'darwin') { > 541 | const child = spawn('open', [url], { 542 | detached: true, 543 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 548 | 549 | if (process.platform === 'win32') { > 550 | const child = spawn('cmd', ['/c', 'start', '', url], { 551 | detached: true, 552 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 548 | 549 | if (process.platform === 'win32') { > 550 | const child = spawn('cmd', ['/c', 'start', '', url], { 551 | detached: true, 552 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 557 | 558 | if (hasCommand('xdg-open')) { > 559 | const child = spawn('xdg-open', [url], { 560 | detached: true, 561 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 557 | 558 | if (hasCommand('xdg-open')) { > 559 | const child = spawn('xdg-open', [url], { 560 | detached: true, 561 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 537 | function openBrowser(url) { 538 | if (process.platform === 'darwin') { > 539 | const child = spawn('open', [url], { 540 | detached: true, 541 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 537 | function openBrowser(url) { 538 | if (process.platform === 'darwin') { > 539 | const child = spawn('open', [url], { 540 | detached: true, 541 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 546 | 547 | if (process.platform === 'win32') { > 548 | const child = spawn('cmd', ['/c', 'start', '', url], { 549 | detached: true, 550 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 546 | 547 | if (process.platform === 'win32') { > 548 | const child = spawn('cmd', ['/c', 'start', '', url], { 549 | detached: true, 550 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 555 | 556 | if (hasCommand('xdg-open')) { > 557 | const child = spawn('xdg-open', [url], { 558 | detached: true, 559 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 555 | 556 | if (hasCommand('xdg-open')) { > 557 | const child = spawn('xdg-open', [url], { 558 | detached: true, 559 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 446 | function openBrowser(url) { 447 | if (process.platform === 'darwin') { > 448 | const child = spawn('open', [url], { 449 | detached: true, 450 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 446 | function openBrowser(url) { 447 | if (process.platform === 'darwin') { > 448 | const child = spawn('open', [url], { 449 | detached: true, 450 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 455 | 456 | if (process.platform === 'win32') { > 457 | const child = spawn('cmd', ['/c', 'start', '', url], { 458 | detached: true, 459 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 455 | 456 | if (process.platform === 'win32') { > 457 | const child = spawn('cmd', ['/c', 'start', '', url], { 458 | detached: true, 459 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 464 | 465 | if (hasCommand('xdg-open')) { > 466 | const child = spawn('xdg-open', [url], { 467 | detached: true, 468 | stdio: 'ignore'
Silent detached process — runs invisibly in the background (reverse shells, miners) 464 | 465 | if (hasCommand('xdg-open')) { > 466 | const child = spawn('xdg-open', [url], { 467 | detached: true, 468 | stdio: 'ignore'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.