← Home

@wireio/wire-cli-dev

npm Repository Homepage

Wire CLI Utilities

1
Versions
ISC
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jglanzwn-user

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:silent-process-exec AI (semgrep): Spawns named 'kiod' daemon (blockchain key daemon) with comment; consistent with Wire Network CLI tooling, not a covert process. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same kiod daemon spawn; stable false positive for this blockchain CLI package. ai
semgrep semgrep:env-spread AI (semgrep): Passing process.env to child process is standard; only overrides HOME to /root for daemon context. ai
semgrep semgrep:child-process-import AI (semgrep): CLI tool legitimately uses child_process to invoke blockchain binaries; expected pattern. ai

Versions (showing 1 of 1)

Version Deps Published
0.0.1 5 / 17

v0.0.1

7 findings
HIGH silent-process-exec: lib/install.js:158 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Wire-Network/wire-cli/blob/4794fc97ba6155b35afcaf91d74b1cd7921293b4/lib/install.js#L158 156 | catch { } 157 | // Start kiod > 158 | const kiodProc = childProcess.spawn("kiod", [], { 159 | detached: true, 160 | stdio: "ignore",

HIGH silent-process-exec-var: lib/install.js:158 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Wire-Network/wire-cli/blob/4794fc97ba6155b35afcaf91d74b1cd7921293b4/lib/install.js#L158 156 | catch { } 157 | // Start kiod > 158 | const kiodProc = childProcess.spawn("kiod", [], { 159 | detached: true, 160 | stdio: "ignore",

HIGH env-spread: lib/install.js:161 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Wire-Network/wire-cli/blob/4794fc97ba6155b35afcaf91d74b1cd7921293b4/lib/install.js#L161 159 | detached: true, 160 | stdio: "ignore", > 161 | env: { ...process.env, HOME: "/root" }, 162 | }); 163 | kiodProc.unref();

HIGH silent-process-exec: src/install.ts:188 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Wire-Network/wire-cli/blob/4794fc97ba6155b35afcaf91d74b1cd7921293b4/src/install.ts#L188 186 | 187 | // Start kiod > 188 | const kiodProc = childProcess.spawn("kiod", [], { 189 | detached: true, 190 | stdio: "ignore",

HIGH silent-process-exec-var: src/install.ts:188 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Wire-Network/wire-cli/blob/4794fc97ba6155b35afcaf91d74b1cd7921293b4/src/install.ts#L188 186 | 187 | // Start kiod > 188 | const kiodProc = childProcess.spawn("kiod", [], { 189 | detached: true, 190 | stdio: "ignore",

HIGH env-spread: src/install.ts:191 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Wire-Network/wire-cli/blob/4794fc97ba6155b35afcaf91d74b1cd7921293b4/src/install.ts#L191 189 | detached: true, 190 | stdio: "ignore", > 191 | env: { ...process.env, HOME: "/root" }, 192 | }); 193 | kiodProc.unref();

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.