Package evidence

@re-shell/[email protected]

DNS / OAST exfiltration: matched "dig @127.0.0.1 -p 8600 myservice.service.consul\n\n# CoreDNS (port 53) \ndig @127.0.0.1 myservice.consul\n\n# Kubernetes DNS\ndig myservice.default.svc.cluster.local\n\n# etcd service discovery\ncurl http://localhost:2379/v3/catalog/services\n\\`\\`\\`\n\n### HTTP API Discovery\n\n\\`\\`\\`bash\n# Consul Catalog API\ncurl http://localhost:8500/v1/catalog/services\n\n# Health status\ncurl http://localhost:8500/v1/health/service/myservice\n\n# Query specific datacenter\ncurl http://localhost:8500/v1/catalog/services?dc=dc1\n\\`\\`\\`\n\n## etcd Operations\n\n### Store and Retrieve Values\n\n\\`\\`\\`bash\n# Store configuration\n./scripts/etcd-put.sh localhost:2379 /config/database '{\"host\":\"localhost\",\"port\":5432}'\n\n# Retrieve configuration\n./scripts/etcd-get.sh localhost:2379 /config/database\n\n# Watch for changes\netcdctl watch /config/\n\\`\\`\\`\n\n## Health Checking\n\nConsul automatically checks service health:\n\n\\`\\`\\`bash\n# Service health endpoint\ncurl http://localhost:8500/v1/health/service/myservice?passing\n\n# Local agent health\ncurl http://localhost:8500/v1/agent/self\n\n# Cluster health\ncurl http://localhost:8500/v1/health/state/serf_health\n\\`\\`\\`\n\n## Service Mesh with Consul Connect\n\nEnable service mesh features:\n\n\\`\\`\\`bash\n# Intentions for service communication\nconsul intention create -source api-gateway -destination backend\n\n# Sidecar proxies\ndocker-compose up -d api-gateway-proxy backend-service-proxy\n\n# Verify connections\nconsul intention list\n\\`\\`\\`\n\n## Monitoring\n\n- **Consul UI**: http://localhost:8500\n- **Prometheus**: http://localhost:9090\n- **Grafana**: http://localhost:3000 (admin/admin)\n\n## Architecture\n\n\\`\\`\\`\n┌─────────────────────────────────────────────────────┐\n│ Service Discovery Layer │\n│ ┌────────────┐ ┌──────────┐ ┌──────────────┐ │\n│ │ Consul │ │ etcd │ │ Kubernetes │ │\n│ │ Cluster │ │ Cluster │ │ DNS │ │\n│ └─────┬──────┘ └────┬─────┘ └──────┬───────┘ │\n│ │ │ │ │\n└────────┼──────────────┼────────────────┼──────────┘\n │ │ │\n └──────────────┴────────────────┴────────┐\n │ Service Registration │\n └──────────────────────────┘\n ┌──────────────┴───────────────────────────┐\n │ Services Layer │\n │ ┌───────┐ ┌───────┐ ┌────────────┐ │\n │ │ API │ │Backend│ │ Frontend │ │\n │ │Gateway│ │Service│ │ App │ │\n │ └───────┘ └───────┘ └────────────┘ │\n └─────────────────────────────────────────┘\n\\`\\`\\`\n\n## License\n\nMIT\n`,\n 'Makefile': `.PHONY: help up down restart clean install test\n\nhelp: ## Show this help message\n\t@echo 'Usage: make [target]'\n\t@echo ''\n\t@echo 'Available targets:'\n\t@awk 'BEGIN {FS = \":.*?## \"} /^[a-zA-Z_-]+:.*?## / {printf \" \\\\033[36m%-15s\\\\033[0m %s\\\\n\", $$1, $$2}' $(MAKEFILE_LIST)\n\nup: ## Start all services\n\tdocker-compose up -d\n\ndown: ## Stop all services\n\tdocker-compose down\n\nrestart: ## Restart all services\n\tdocker-compose restart\n\nlogs: ## Show logs from all services\n\tdocker-compose logs -f\n\nlogs-consul: ## Show Consul logs\n\tdocker-compose logs -f consul-server1 consul-server2 consul-server3 consul-client\n\nlogs-etcd: ## Show etcd logs\n\tdocker-compose logs -f etcd1 etcd2 etcd3\n\nclean: ## Remove all containers and volumes\n\tdocker-compose down -v\n\tdocker system prune -af\n\ninstall: ## Install dependencies\n\tnpm install\n\ntest: ## Run tests\n\tnpm test\n\nregister: ## Register a service (usage: make register SERVICE=myservice PORT=8080)\n\t./scripts/register-service.sh $(SERVICE) 127.0.0.1 $(PORT)\n\ndiscover: ## Discover services\n\t./scripts/discover-service.sh $("

BL70High risk10 findings contributing

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 3
First published: Jun 2026
Publisher: umutkorkmaz

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@re-shell/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@re-shell/[email protected]"],"fail_on":"high"}'

Publisherumutkorkmaz

Artifact bytes5,347,335

Previous version0.29.1

Published2026-06-09T06:53:25.235Z

SHA-2562d276c94e4866088836da4a9d678de55f69dee377645f1de992c9873c3142655

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

2h agoLast checked

highRisk

70Score

0.29.2Version

Status history (1 event)

new → available2h ago · risk high · score 70 · status changed

Evidence

Static findings

10 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	DNS / OAST exfiltration	package/dist/templates/backend/service-discovery.js	matched "dig @127.0.0.1 -p 8600 myservice.service.consul\n\n# CoreDNS (port 53) \ndig @127.0.0.1 myservice.consul\n\n# Kubernetes DNS\ndig myservice.default.svc.cluster.local\n\n# etcd service discovery\ncurl http://localhost:2379/v3/catalog/services\n\\`\\`\\`\n\n### HTTP API Discovery\n\n\\`\\`\\`bash\n# Consul Catalog API\ncurl http://localhost:8500/v1/catalog/services\n\n# Health status\ncurl http://localhost:8500/v1/health/service/myservice\n\n# Query specific datacenter\ncurl http://localhost:8500/v1/catalog/services?dc=dc1\n\\`\\`\\`\n\n## etcd Operations\n\n### Store and Retrieve Values\n\n\\`\\`\\`bash\n# Store configuration\n./scripts/etcd-put.sh localhost:2379 /config/database '{\"host\":\"localhost\",\"port\":5432}'\n\n# Retrieve configuration\n./scripts/etcd-get.sh localhost:2379 /config/database\n\n# Watch for changes\netcdctl watch /config/\n\\`\\`\\`\n\n## Health Checking\n\nConsul automatically checks service health:\n\n\\`\\`\\`bash\n# Service health endpoint\ncurl http://localhost:8500/v1/health/service/myservice?passing\n\n# Local agent health\ncurl http://localhost:8500/v1/agent/self\n\n# Cluster health\ncurl http://localhost:8500/v1/health/state/serf_health\n\\`\\`\\`\n\n## Service Mesh with Consul Connect\n\nEnable service mesh features:\n\n\\`\\`\\`bash\n# Intentions for service communication\nconsul intention create -source api-gateway -destination backend\n\n# Sidecar proxies\ndocker-compose up -d api-gateway-proxy backend-service-proxy\n\n# Verify connections\nconsul intention list\n\\`\\`\\`\n\n## Monitoring\n\n- Consul UI: http://localhost:8500\n- Prometheus: http://localhost:9090\n- Grafana: http://localhost:3000 (admin/admin)\n\n## Architecture\n\n\\`\\`\\`\n┌─────────────────────────────────────────────────────┐\n│ Service Discovery Layer │\n│ ┌────────────┐ ┌──────────┐ ┌──────────────┐ │\n│ │ Consul │ │ etcd │ │ Kubernetes │ │\n│ │ Cluster │ │ Cluster │ │ DNS │ │\n│ └─────┬──────┘ └────┬─────┘ └──────┬───────┘ │\n│ │ │ │ │\n└────────┼──────────────┼────────────────┼──────────┘\n │ │ │\n └──────────────┴────────────────┴────────┐\n │ Service Registration │\n └──────────────────────────┘\n ┌──────────────┴───────────────────────────┐\n │ Services Layer │\n │ ┌───────┐ ┌───────┐ ┌────────────┐ │\n │ │ API │ │Backend│ │ Frontend │ │\n │ │Gateway│ │Service│ │ App │ │\n │ └───────┘ └───────┘ └────────────┘ │\n └─────────────────────────────────────────┘\n\\`\\`\\`\n\n## License\n\nMIT\n`,\n 'Makefile': `.PHONY: help up down restart clean install test\n\nhelp: ## Show this help message\n\t@echo 'Usage: make [target]'\n\t@echo ''\n\t@echo 'Available targets:'\n\t@awk 'BEGIN {FS = \":.?## \"} /^[a-zA-Z_-]+:.?## / {printf \" \\\\033[36m%-15s\\\\033[0m %s\\\\n\", $$1, $$2}' $(MAKEFILE_LIST)\n\nup: ## Start all services\n\tdocker-compose up -d\n\ndown: ## Stop all services\n\tdocker-compose down\n\nrestart: ## Restart all services\n\tdocker-compose restart\n\nlogs: ## Show logs from all services\n\tdocker-compose logs -f\n\nlogs-consul: ## Show Consul logs\n\tdocker-compose logs -f consul-server1 consul-server2 consul-server3 consul-client\n\nlogs-etcd: ## Show etcd logs\n\tdocker-compose logs -f etcd1 etcd2 etcd3\n\nclean: ## Remove all containers and volumes\n\tdocker-compose down -v\n\tdocker system prune -af\n\ninstall: ## Install dependencies\n\tnpm install\n\ntest: ## Run tests\n\tnpm test\n\nregister: ## Register a service (usage: make register SERVICE=myservice PORT=8080)\n\t./scripts/register-service.sh $(SERVICE) 127.0.0.1 $(PORT)\n\ndiscover: ## Discover services\n\t./scripts/discover-service.sh $("	30

Show all 10 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	DNS / OAST exfiltration	package/dist/templates/backend/service-discovery.js	matched "dig @127.0.0.1 -p 8600 myservice.service.consul\n\n# CoreDNS (port 53) \ndig @127.0.0.1 myservice.consul\n\n# Kubernetes DNS\ndig myservice.default.svc.cluster.local\n\n# etcd service discovery\ncurl http://localhost:2379/v3/catalog/services\n\\`\\`\\`\n\n### HTTP API Discovery\n\n\\`\\`\\`bash\n# Consul Catalog API\ncurl http://localhost:8500/v1/catalog/services\n\n# Health status\ncurl http://localhost:8500/v1/health/service/myservice\n\n# Query specific datacenter\ncurl http://localhost:8500/v1/catalog/services?dc=dc1\n\\`\\`\\`\n\n## etcd Operations\n\n### Store and Retrieve Values\n\n\\`\\`\\`bash\n# Store configuration\n./scripts/etcd-put.sh localhost:2379 /config/database '{\"host\":\"localhost\",\"port\":5432}'\n\n# Retrieve configuration\n./scripts/etcd-get.sh localhost:2379 /config/database\n\n# Watch for changes\netcdctl watch /config/\n\\`\\`\\`\n\n## Health Checking\n\nConsul automatically checks service health:\n\n\\`\\`\\`bash\n# Service health endpoint\ncurl http://localhost:8500/v1/health/service/myservice?passing\n\n# Local agent health\ncurl http://localhost:8500/v1/agent/self\n\n# Cluster health\ncurl http://localhost:8500/v1/health/state/serf_health\n\\`\\`\\`\n\n## Service Mesh with Consul Connect\n\nEnable service mesh features:\n\n\\`\\`\\`bash\n# Intentions for service communication\nconsul intention create -source api-gateway -destination backend\n\n# Sidecar proxies\ndocker-compose up -d api-gateway-proxy backend-service-proxy\n\n# Verify connections\nconsul intention list\n\\`\\`\\`\n\n## Monitoring\n\n- Consul UI: http://localhost:8500\n- Prometheus: http://localhost:9090\n- Grafana: http://localhost:3000 (admin/admin)\n\n## Architecture\n\n\\`\\`\\`\n┌─────────────────────────────────────────────────────┐\n│ Service Discovery Layer │\n│ ┌────────────┐ ┌──────────┐ ┌──────────────┐ │\n│ │ Consul │ │ etcd │ │ Kubernetes │ │\n│ │ Cluster │ │ Cluster │ │ DNS │ │\n│ └─────┬──────┘ └────┬─────┘ └──────┬───────┘ │\n│ │ │ │ │\n└────────┼──────────────┼────────────────┼──────────┘\n │ │ │\n └──────────────┴────────────────┴────────┐\n │ Service Registration │\n └──────────────────────────┘\n ┌──────────────┴───────────────────────────┐\n │ Services Layer │\n │ ┌───────┐ ┌───────┐ ┌────────────┐ │\n │ │ API │ │Backend│ │ Frontend │ │\n │ │Gateway│ │Service│ │ App │ │\n │ └───────┘ └───────┘ └────────────┘ │\n └─────────────────────────────────────────┘\n\\`\\`\\`\n\n## License\n\nMIT\n`,\n 'Makefile': `.PHONY: help up down restart clean install test\n\nhelp: ## Show this help message\n\t@echo 'Usage: make [target]'\n\t@echo ''\n\t@echo 'Available targets:'\n\t@awk 'BEGIN {FS = \":.?## \"} /^[a-zA-Z_-]+:.?## / {printf \" \\\\033[36m%-15s\\\\033[0m %s\\\\n\", $$1, $$2}' $(MAKEFILE_LIST)\n\nup: ## Start all services\n\tdocker-compose up -d\n\ndown: ## Stop all services\n\tdocker-compose down\n\nrestart: ## Restart all services\n\tdocker-compose restart\n\nlogs: ## Show logs from all services\n\tdocker-compose logs -f\n\nlogs-consul: ## Show Consul logs\n\tdocker-compose logs -f consul-server1 consul-server2 consul-server3 consul-client\n\nlogs-etcd: ## Show etcd logs\n\tdocker-compose logs -f etcd1 etcd2 etcd3\n\nclean: ## Remove all containers and volumes\n\tdocker-compose down -v\n\tdocker system prune -af\n\ninstall: ## Install dependencies\n\tnpm install\n\ntest: ## Run tests\n\tnpm test\n\nregister: ## Register a service (usage: make register SERVICE=myservice PORT=8080)\n\t./scripts/register-service.sh $(SERVICE) 127.0.0.1 $(PORT)\n\ndiscover: ## Discover services\n\t./scripts/discover-service.sh $("	30
low	Credential file access	package/dist/templates/backend/adonisjs.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/groups/cloud.group.js	matched "AWS_ACCESS_KEY"	5
low	Messenger Bot Endpoint	package/dist/utils/collaboration.js	matched "hooks.slack.com/services/" — messenger-bot URL without exfil context (likely a notification handler)	5
low	Credential file access	package/dist/templates/backend/disaster-recovery.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/templates/backend/django.js	matched ".ssh/"	5
low	Credential file access	package/dist/templates/backend/global-cdn-integration.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/templates/backend/laravel.js	matched "AWS_ACCESS_KEY"	5
low	Credential file access	package/dist/templates/backend/middy.js	matched ".aws/"	5
low	Obfuscation Density	package/dist/dashboard/hub-server.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts14

buildtsc && mkdir -p dist/utils/schemas && cp src/schemas/workspace-v2.schema.json dist/utils/schemas/re-shell-workspace.schema.json && mkdir -p dist/completions && cp src/completions/bash dist/completions/bash && cp src/completions/zsh dist/completions/zsh
build:distnpm run build && npm run bundle:dashboard
bundle:dashboardnode scripts/bundle-dashboard.mjs
cleanrimraf dist
devtsc --watch
linteslint src --ext ts
testvitest run
test:coveragevitest run --coverage --config vitest.coverage.config.ts
test:e2evitest run tests/e2e
test:integrationvitest run tests/integration
test:plannode tests/run-cli-plan.mjs --suite=all
test:unitvitest run tests/unit
test:watchvitest
typechecktsc -p tsconfig.json --noEmit

Dependencies28

@re-shell/contracts^0.1.0
@types/inquirer^9.0.9
@types/js-yaml^4.0.9
@types/react^19.2.8
boxen^8.0.1
chalk^4.1.2
chokidar^4.0.3
cli-table3^0.6.5
commander^11.0.0
cosmiconfig^9.0.0
dayjs^1.11.13
dockerode^4.0.7
dotenv^16.6.0
ejs^3.1.10
fast-glob^3.3.3
fs-extra^11.0.0
glob^10.4.5
handlebars^4.7.8
ink^6.6.0
ink-spinner^5.0.0
inquirer^8.2.7
js-yaml^4.1.1
ora^5.4.1
prompts^2.0.0
react^19.2.3
semver^7.7.2
simple-git^3.32.3
yaml^2.3.2