mcporter
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Publish workflow change (removed prepublishOnly) explains missing gitHead; no other risk signals present. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env to pass environment to child MCP servers is expected behavior for this runtime/proxy tool. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Spawns platform URL-opener (open/start/xdg-open) for OAuth browser flow; not a reverse shell or miner. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same OAuth browser-open pattern; detached+unref is standard for fire-and-forget URL opening. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get inside a Proxy handler is idiomatic JS proxy forwarding, not obfuscation. | ai | |
| phantom-deps | phantom-dep:es-toolkit | AI (phantom-deps): es-toolkit is a declared runtime dependency; phantom-dep heuristic misfires here. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.12.0 | 9 / 16 | |
| 0.11.3 | 9 / 16 | |
| 0.11.2 | 9 / 16 | |
| 0.11.1 | 9 / 16 | |
| 0.11.0 | 9 / 16 | |
| 0.10.2 | 9 / 16 | |
| 0.10.1 | 9 / 16 | |
| 0.10.0 | 9 / 16 | |
| 0.9.0 | 9 / 16 | |
| 0.8.1 | 9 / 15 | |
| 0.6.4 | 9 / 14 | |
| 0.6.3 | 9 / 14 | |
| 0.6.2 | 9 / 14 | |
| 0.6.1 | 9 / 14 | |
| 0.6.0 | 9 / 14 | |
| 0.5.10 | 9 / 14 | |
| 0.5.9 | 9 / 14 | |
| 0.5.8 | 9 / 14 | |
| 0.5.7 | 9 / 14 | |
| 0.5.6 | 9 / 14 | |
| 0.5.3 | 9 / 14 | |
| 0.5.2 | 9 / 14 | |
| 0.5.0 | 9 / 14 | |
| 0.4.3 | 9 / 13 | |
| 0.4.2 | 8 / 13 | |
| 0.4.1 | 8 / 13 | |
| 0.4.0 | 8 / 13 | |
| 0.3.6 | 7 / 12 | |
| 0.3.5 | 7 / 12 | |
| 0.3.4 | 7 / 12 | |
| 0.3.2 | 7 / 12 | |
| 0.3.1 | 7 / 12 | |
| 0.3.0 | 7 / 12 |
v0.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: steipete.
v0.11.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: steipete.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: steipete.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.4
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 106 | const mergedEnv = 107 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 108 | ? { ...process.env, ...resolvedEnvOverrides } 109 | : { ...process.env }; 110 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 107 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 108 | ? { ...process.env, ...resolvedEnvOverrides } > 109 | : { ...process.env }; 110 | const transport = new StdioClientTransport({ 111 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.3
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 55 | const mergedEnv = 56 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 57 | ? { ...process.env, ...resolvedEnvOverrides } 58 | : { ...process.env }; 59 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 56 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 57 | ? { ...process.env, ...resolvedEnvOverrides } > 58 | : { ...process.env }; 59 | const transport = new StdioClientTransport({ 60 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.2
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 55 | const mergedEnv = 56 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 57 | ? { ...process.env, ...resolvedEnvOverrides } 58 | : { ...process.env }; 59 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 56 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 57 | ? { ...process.env, ...resolvedEnvOverrides } > 58 | : { ...process.env }; 59 | const transport = new StdioClientTransport({ 60 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 366 | const mergedEnv = 367 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 368 | ? { ...process.env, ...resolvedEnvOverrides } 369 | : { ...process.env }; 370 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 367 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 368 | ? { ...process.env, ...resolvedEnvOverrides } > 369 | : { ...process.env }; 370 | const transport = new StdioClientTransport({ 371 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 357 | const mergedEnv = 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 359 | ? { ...process.env, ...resolvedEnvOverrides } 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 359 | ? { ...process.env, ...resolvedEnvOverrides } > 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({ 362 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.10
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 357 | const mergedEnv = 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 359 | ? { ...process.env, ...resolvedEnvOverrides } 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 359 | ? { ...process.env, ...resolvedEnvOverrides } > 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({ 362 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.9
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 357 | const mergedEnv = 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 359 | ? { ...process.env, ...resolvedEnvOverrides } 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 359 | ? { ...process.env, ...resolvedEnvOverrides } > 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({ 362 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.8
13 findingsSpreading entire process.env into an object — may capture all secrets 667 | // Prepares the executable, args, and sanitized env for the child process. 668 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 669 | const env = { ...process.env }; 670 | const args: string[] = []; 671 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 357 | const mergedEnv = 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 359 | ? { ...process.env, ...resolvedEnvOverrides } 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 358 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 359 | ? { ...process.env, ...resolvedEnvOverrides } > 360 | : { ...process.env }; 361 | const transport = new StdioClientTransport({ 362 | command: resolveCommandArgument(activeDefinition.command.command),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.7
13 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 329 | const mergedEnv = 330 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 331 | ? { ...process.env, ...resolvedEnvOverrides } 332 | : { ...process.env }; 333 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 330 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 331 | ? { ...process.env, ...resolvedEnvOverrides } > 332 | : { ...process.env }; 333 | const transport = new StdioClientTransport({ 334 | command: activeDefinition.command.command,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.6
13 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 329 | const mergedEnv = 330 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 331 | ? { ...process.env, ...resolvedEnvOverrides } 332 | : { ...process.env }; 333 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 330 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 331 | ? { ...process.env, ...resolvedEnvOverrides } > 332 | : { ...process.env }; 333 | const transport = new StdioClientTransport({ 334 | command: activeDefinition.command.command,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.3
13 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 286 | const mergedEnv = 287 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 288 | ? { ...process.env, ...resolvedEnvOverrides } 289 | : { ...process.env }; 290 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 287 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 288 | ? { ...process.env, ...resolvedEnvOverrides } > 289 | : { ...process.env }; 290 | const transport = new StdioClientTransport({ 291 | command: activeDefinition.command.command,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
13 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Spreading entire process.env into an object — may capture all secrets 286 | const mergedEnv = 287 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 > 288 | ? { ...process.env, ...resolvedEnvOverrides } 289 | : { ...process.env }; 290 | const transport = new StdioClientTransport({
Spreading entire process.env into an object — may capture all secrets 287 | resolvedEnvOverrides && Object.keys(resolvedEnvOverrides).length > 0 288 | ? { ...process.env, ...resolvedEnvOverrides } > 289 | : { ...process.env }; 290 | const transport = new StdioClientTransport({ 291 | command: activeDefinition.command.command,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
11 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) 23 | ...(options.extraArgs ?? []), 24 | ]; > 25 | const child = spawn(process.execPath, args, { 26 | detached: true, 27 | stdio: 'ignore',
Spreading entire process.env into an object — may capture all secrets 26 | detached: true, 27 | stdio: 'ignore', > 28 | env: { 29 | ...process.env, 30 | MCPORTER_DAEMON_CHILD: '1',
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.3
8 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/scripts/runner.ts#L557 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/src/oauth.ts#L43 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/src/oauth.ts#L43 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/src/oauth.ts#L46 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/src/oauth.ts#L46 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/src/oauth.ts#L52 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/steipete/mcporter/blob/6c292b7093702932335ad89e9f17a1d6b14976df/src/oauth.ts#L52 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.2
8 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
8 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
8 findingsSpreading entire process.env into an object — may capture all secrets 555 | // Prepares the executable, args, and sanitized env for the child process. 556 | function buildExecutionParams(commandArgs: string[]): { command: string; args: string[]; env: NodeJS.ProcessEnv } { > 557 | const env = { ...process.env }; 558 | const args: string[] = []; 559 | let commandStarted = false;
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | try { 42 | if (platform === 'darwin') { > 43 | const child = spawn('open', [url], { stdio, detached: true }); 44 | child.unref(); 45 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | child.unref(); 45 | } else if (platform === 'win32') { > 46 | const child = spawn('cmd', ['/c', 'start', '""', url], { 47 | stdio, 48 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 50 | child.unref(); 51 | } else { > 52 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 53 | child.unref(); 54 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 40 | try { 41 | if (platform === 'darwin') { > 42 | const child = spawn('open', [url], { stdio, detached: true }); 43 | child.unref(); 44 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 40 | try { 41 | if (platform === 'darwin') { > 42 | const child = spawn('open', [url], { stdio, detached: true }); 43 | child.unref(); 44 | } else if (platform === 'win32') {
Silent detached process — runs invisibly in the background (reverse shells, miners) 43 | child.unref(); 44 | } else if (platform === 'win32') { > 45 | const child = spawn('cmd', ['/c', 'start', '""', url], { 46 | stdio, 47 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 43 | child.unref(); 44 | } else if (platform === 'win32') { > 45 | const child = spawn('cmd', ['/c', 'start', '""', url], { 46 | stdio, 47 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 49 | child.unref(); 50 | } else { > 51 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 52 | child.unref(); 53 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 49 | child.unref(); 50 | } else { > 51 | const child = spawn('xdg-open', [url], { stdio, detached: true }); 52 | child.unref(); 53 | }
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.