// npm package
berta-pulse
Local-first, BYOK multi-host ops + SEO control plane — scan, diagnose and fix across 12 hosts from your own machine.
versions
1
maintainers
1
license
UNLICENSED
first publish
2026-06-06
publisher
rondanini
tarball
1,721,824 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-06-06
// exfil path
what is read → where it shipssteals
- ● GitHub PAT
- ● GitLab PAT
- ● GCP creds
- ● AWS keys
- ● AI API keys
sends to
- ⤳ github.com(github.com (via hostname var))
// offending code· @0.1.0· 4 files flagged
llm: malicious · 0.95→ Credential read (reads-github-tokens, reads-gitlab-tokens, reads-gcp-creds, reads-aws-creds, reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
- @0.1.0··AUTO-PUBLISHED·publisher: rondaniniheuristic 40/100static flags 8llm malicious (0.95) via fast-tracknew-publisher:0dfirst-version-of-packagereads-github-tokensreads-gitlab-tokensreads-gcp-credsreads-aws-credsreads-env-varschild-process-spawnreads-ai-api-keysdest-via-hostname-var
→ Credential read (reads-github-tokens, reads-gitlab-tokens, reads-gcp-creds, reads-aws-creds, reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
// offending code· 4 files flaggedpatterns: 8
--- package/ui/app.js (excerpt) --- let findings = []; let playbooks = []; let selected = null; let selectedFinding = null; let busy = false; let elapsedTimer = null; let busyRowKey = null; let providerErrors = []; let providerStatus = null; /** @type {Record<string, object>} */ let costWasteByKey = {}; let repoDeckCache = []; /** @type {{ modules: object[] } | null} */ let modulesCache = null; const $ = (id) => document.getElementById(id); async function api(path, opts = {}) { const res = await fetch(path, { headers: { "Content-Type": "application/json" }, ...opts, }); const data = await res.json().catch(() => ({})); if (!res.ok) throw new Error(data.error || `HTTP ${res.status}`); return data; } function nowTime() { return new Date().toLocaleTimeString([], { hour: "2-digit", minute: "2-digit", second: "2-digit" }); } function setActivityState(state, label) { const el = $("activity-state"); el.className = state; el.textContent = label; } function clearActivityLog() { $("activity-log").innerHTML = ""; } function logActivity(kind, message) { const ul = $("activity-log"); if (ul.querySelector(".log-muted")) ul.innerHTML = ""; const icons = { info: "●", ok: "✓", warn: "!", err: "✗" }; const li = document.createElement("li"); li.className = `log-${kind}`; li.innerHTML = `<span class="time">${nowTime()}</span><span class="icon">${icons[kind] || "●"}</span><span>${esc(message)}</span>`; ul.appendChild(li); ul.scrollTop --- package/playbooks/cloudrun/playbooks.json (excerpt) --- [ { "id": "cloudrun-redeploy", "name": "Redeploy Cloud Run service", "provider": "cloudrun", "description": "Redeploy the service using its current container image.", "triggers": ["ERROR", "FAILED", "RECONCILING"], "steps": [ { "action": "cloudrun redeploy", "description": "gcloud run deploy with current image", "tier": 0 } ], "humanEscalation": [ "Requires gcloud auth login or GCP_ACCESS_TOKEN", "Set GCP_PROJECT_ID and GCP_RUN_REGIONS in Settings" ] } ] --- package/lib/amplify.mjs (excerpt) --- import { runCli } from "./cli.mjs"; import { getAwsCredentials } from "./bootstrap.mjs"; const AWS_BIN = process.env.AWS_BIN || "aws"; const AWS_TIMEOUT = Number(process.env.AWS_API_TIMEOUT_MS || 60_000); function awsEnv() { const creds = getAwsCredentials(); const env = { ...process.env }; if (creds.accessKeyId) env.AWS_ACCESS_KEY_ID = creds.accessKeyId; if (creds.secretAccessKey) env.AWS_SECRET_ACCESS_KEY = creds.secretAccessKey; if (creds.sessionToken) env.AWS_SESSION_TOKEN = creds.sessionToken; if (creds.region) { env.AWS_REGION = creds.region; env.AWS_DEFAULT_REGION = creds.region; } if (creds.profile) env.AWS_PROFILE = creds.profile; return env; } async function awsJson(args) { const out = await runCli(AWS_BIN, [...args, "--output", "json"], awsEnv(), AWS_TIMEOUT); return JSON.parse(out); } function mapBranch(app, branch, scanSource) { const status = branch.activeJobReason ?? branch.status ?? branch.stage ?? null; const branchName = branch.branchName ?? "main"; const url = app.defaultDomain && branchName ? `https://${branchName}.${app.defaultDomain}` : app.defaultDomain ? `https://${app.defaultDomain}` : null; return { provider: "amplify", projectId: app.appId, projectName: app.name, environmentId: branch.branchName ?? "main", serviceId: `${app.appId}:${branch.branchName ?? "main"}`, serviceName: `${app.name}/${branch.branchName ?? "m --- package/lib/bootstrap.mjs (excerpt) --- import { readFile } from "node:fs/promises"; import { homedir } from "node:os"; import path from "node:path"; /** Token from `vercel login` config — API fallback only (not exported to VERCEL_TOKEN). */ let vercelApiToken = null; /** Token from Netlify CLI config — API only (not exported to NETLIFY_AUTH_TOKEN). */ let netlifyApiToken = null; export function getVercelApiToken() { return process.env.VERCEL_TOKEN || vercelApiToken; } export function getNetlifyApiToken() { return process.env.NETLIFY_AUTH_TOKEN || netlifyApiToken; } export function getRenderApiKey() { return process.env.RENDER_API_KEY || null; } export function getFlyApiToken() { return process.env.FLY_API_TOKEN || null; } export function getCloudflareCredentials() { return { token: process.env.CLOUDFLARE_API_TOKEN || null, accountId: process.env.CLOUDFLARE_ACCOUNT_ID || null, }; } export function getDigitalOceanToken() { return process.env.DO_API_TOKEN || null; } export function getCoolifyCredentials() { return { url: process.env.COOLIFY_URL || null, token: process.env.COOLIFY_API_TOKEN || null, }; } export function getHerokuApiKey() { return process.env.HEROKU_API_KEY || null; } export function getKoyebApiToken() { return process.env.KOYEB_API_TOKEN || null; } export function getAwsCredentials() { return { accessKeyId: process.env.AWS_ACCESS_KEY_ID || null, secretAccessKey: process.env.AWS_SECRET_ACCES --- dynamic destinations --- → github.com (via hostname-var)
