← Home

ssh2

npm Repository Homepage

SSH2 client and server modules written in pure JavaScript for node.js

7
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mscdex

Keywords

sshssh2sftpsecureshellexecremoteclient

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:mscdex-ssh2-45e28ae/lib/protocol/node-fs-compat.js AI (source-diff): FS compat shim with error classes and BigInt feature detection via new Function(); no actual network or exec calls. ai
source-diff obfuscated-file:mscdex-ssh2-45e28ae/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; minified asm.js output is expected for compiled crypto primitives. ai
source-diff obfuscated-file:mscdex-ssh2-83109f9/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; minified asm.js output is expected for compiled crypto primitives. ai
source-diff net-exec-file:mscdex-ssh2-83109f9/lib/protocol/node-fs-compat.js AI (source-diff): False positive: file contains error classes and BigInt feature detection via new Function(), no actual network calls. ai
source-diff source-size-tripled AI (source-diff): ssh2 v1.x internalized ssh2-streams; size increase reflects consolidation of protocol code into the main package. ai
source-diff obfuscated-file:mscdex-ssh2-51cbe0f/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; long lines are asm.js output, not obfuscation. Standard for crypto in SSH libraries. ai
source-diff net-exec-file:mscdex-ssh2-51cbe0f/lib/protocol/node-fs-compat.js AI (source-diff): Node.js compat/error utility; new Function() is BigInt feature detection. No actual network or exec patterns. ai
source-diff obfuscated-file:mscdex-ssh2-9102976/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; minified asm.js output is expected for this crypto primitive. ai
source-diff net-exec-file:mscdex-ssh2-9102976/lib/protocol/node-fs-compat.js AI (source-diff): Node.js compat utility with BigInt feature detection via new Function(); no actual network or malicious exec. ai
source-diff obfuscated-file:mscdex-ssh2-69c4df1/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; minified asm.js output is expected, not hand-crafted obfuscation. ai
source-diff net-exec-file:mscdex-ssh2-69c4df1/lib/protocol/node-fs-compat.js AI (source-diff): FS compat shim with BigInt feature detection via new Function(); no actual network or exec activity. False positive. ai
source-diff obfuscated-file:mscdex-ssh2-c3592e7/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled poly1305 crypto implementation; standard WebAssembly fallback pattern for ssh2's crypto layer. ai
source-diff net-exec-file:mscdex-ssh2-c3592e7/lib/protocol/node-fs-compat.js AI (source-diff): File contains only error class definitions and utility functions; no actual network or exec calls. False positive. ai
source-diff net-exec-file:mscdex-ssh2-5ae69d7/lib/protocol/node-fs-compat.js AI (source-diff): Node.js compat utility with error classes and BigInt feature detection via new Function(); no actual network or exec patterns. ai
source-diff obfuscated-file:mscdex-ssh2-5ae69d7/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled asm.js output for Poly1305 MAC crypto primitive; standard for performance-critical crypto in SSH library. ai
source-diff net-exec-file:mscdex-ssh2-97d3ed4/lib/protocol/node-fs-compat.js AI (source-diff): Node.js compat shim with BigInt feature detection via new Function(); no actual network or exec behavior. ai
source-diff obfuscated-file:mscdex-ssh2-97d3ed4/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation — standard crypto primitive output, not obfuscation. ai
source-diff obfuscated-file:mscdex-ssh2-8f3ff6f/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; minified asm.js output is expected for compiled crypto primitives in an SSH library. ai
source-diff net-exec-file:mscdex-ssh2-8f3ff6f/lib/protocol/node-fs-compat.js AI (source-diff): FS compat/error module with BigInt feature detection via new Function(); no actual network or exec payload. ai
phantom-deps phantom-dep:nan AI (phantom-deps): nan is an optionalDependency for native addon compilation; not directly imported in JS source but used by node-gyp build. ai
source-diff net-exec-file:mscdex-ssh2-34546ab/lib/protocol/node-fs-compat.js AI (source-diff): Error-handling utility with BigInt feature detection via new Function(); no actual network calls or malicious execution. ai
source-diff obfuscated-file:mscdex-ssh2-34546ab/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; long lines are asm.js/WASM output, not hand-crafted obfuscation. ai
source-diff large-new-source-files AI (source-diff): Tarball structure change causes files to appear new. Source files are expected SSH2 library components. ai
source-diff net-exec-file:mscdex-ssh2-d5c97b4/lib/protocol/node-fs-compat.js AI (source-diff): False positive. File contains error classes and BigInt feature detection via new Function(). No actual network calls or malicious execution. ai
source-diff obfuscated-file:mscdex-ssh2-d5c97b4/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation; long lines are asm.js/WASM output, not obfuscation. Standard for crypto libraries. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function('return 2n ** 32n') is a standard BigInt feature-detection pattern for older Node.js versions. ai
semgrep semgrep:child-process-import AI (semgrep): install.js uses spawnSync for native addon compilation — standard for packages with optional C++ bindings. ai
source-diff net-exec-file:mscdex-ssh2-5c506eb/lib/protocol/node-fs-compat.js AI (source-diff): False positive — file is a Node.js error/assertion compat layer with no actual network or exec calls. ai
source-diff obfuscated-file:mscdex-ssh2-5c506eb/lib/protocol/crypto/poly1305.js AI (source-diff): Emscripten-compiled Poly1305 MAC implementation (ChaCha20-Poly1305 cipher). Minified asm.js output is expected. ai
npm-metadata bundled-binaries AI (npm-metadata): pagent.exe is the PuTTY authentication agent helper, a long-standing component of ssh2 for Windows SSH agent support. ai
install-scripts install-script:install AI (install-scripts): ssh2 uses install script to build optional native crypto bindings (cpu-features, nan). Standard for native addon packages. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 in poly1305.js is Emscripten runtime loading embedded WASM binary data. Standard compiler output. ai
semgrep semgrep:hex-decode AI (semgrep): SSH key parsing naturally involves hex-encoded data. Expected for an SSH library. ai

Versions (showing 7 of 7)

Version Deps Published
1.17.0 2 / 2
1.15.0 4 / 2
1.12.0 4 / 2
1.10.0 4 / 2
1.9.0 4 / 2
1.8.0 4 / 2
1.4.0 4 / 2

v1.17.0

5 findings
HIGH Package has 'install' script install-scripts

Script: node install.js

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • mscdex-ssh2-5c506eb/util/pagent.exe

HIGH New obfuscated file: mscdex-ssh2-5c506eb/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-5c506eb/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.15.0

3 findings
HIGH New obfuscated file: mscdex-ssh2-34546ab/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-34546ab/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.0

3 findings
HIGH New obfuscated file: mscdex-ssh2-83109f9/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-83109f9/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.10.0

3 findings
HIGH New obfuscated file: mscdex-ssh2-8f3ff6f/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-8f3ff6f/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.0

3 findings
HIGH New obfuscated file: mscdex-ssh2-9102976/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-9102976/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.0

3 findings
HIGH New obfuscated file: mscdex-ssh2-45e28ae/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-45e28ae/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.0

3 findings
HIGH New obfuscated file: mscdex-ssh2-5ae69d7/lib/protocol/crypto/poly1305.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: mscdex-ssh2-5ae69d7/lib/protocol/node-fs-compat.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.