registry  /  4bnode  /  4.1.9

4bnode@4.1.9

4bnode is a CLI-powered backend development platform with a built-in visual dashboard to generate, manage, and test Node.js/Express APIs faster.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time behavior. The package is an explicit CLI/project generator; its generated local dashboard can write project files and install dependencies only after user commands or authenticated local dashboard actions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `4bnode init`/feature command or use of the generated local `/_dev` dashboard.
Impact
Writes within the selected/generated project and makes optional user-configured network requests; no unconsented package-host mutation was found.
Mechanism
User-invoked project scaffolding, dashboard administration, and optional provider integrations.
Rationale
The flagged execution, network, and environment operations are aligned with an explicit scaffolding CLI and a locally restricted development dashboard. The legacy passkey helper and official-domain notification are concerning design choices, but neither establishes malicious behavior or unconsented execution/exfiltration.
Evidence
package.jsonindex.jsscripts/reveal-passkey.mjsskeleton/index.jsskeleton/.4bnode/dev-api.jsskeleton/.4bnode/codegen.jsskeleton/.4bnode/ui.htmlskeleton/.envskeleton/src/services/mailer.js
Network endpoints3
api.openai.com/v1/chat/completionsapi.anthropic.com/v1/messagesesm.sh/react@18.3.1

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `scripts/reveal-passkey.mjs` brute-forces legacy numeric SHA-256 passkeys when explicitly run against a supplied app path.
  • `skeleton/.4bnode/dev-api.js` reports host, OS-user, app name, and sender address only after an authorized `4brains.in` mail setup.
  • `skeleton/.4bnode/ui.html` loads dashboard libraries from `esm.sh` at dashboard runtime.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook is present.
  • `index.js` runs copying and `npm install` only for the explicit `4bnode init` command.
  • `skeleton/.4bnode/dev-api.js` disables the dashboard in production by default and restricts it to loopback unless explicitly enabled remotely.
  • AI requests target documented provider APIs and use project-configured keys only after dashboard use.
  • No AI-agent control-surface paths or unrelated credential/file harvesting were found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 35 file(s), 256 KB of source

Source & flagged code

8 flagged · loading source
skeleton/.envView file
patternName = blocked_file severity = critical matchedText = skeleton/.env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skeleton/.envView on unpkg
index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = 4bnode@4.1.8 matchedIdentity = npm:NGJub2Rl:4.1.8 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

index.jsView on unpkg
5import crypto from "crypto"; L6: import { execSync, execFileSync } from "child_process"; L7: import { fileURLToPath } from "url";
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L5
57const spec = names.map((n) => `${n}@latest`).join(" "); L58: execSync(`npm install ${dev ? "-D " : ""}${spec}`, { L59: stdio: "pipe",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

index.jsView on unpkg · L57
scripts/audit-dev-surface.mjsView file
36[/\bspawn(Sync)?\s*\(/, 'spawn() call'], L37: [/\beval\s*\(/, 'eval()'], L38: [/new\s+Function\s*\(/, 'new Function()'],
Low
Eval

Package source references a known benign dynamic code generation pattern.

scripts/audit-dev-surface.mjsView on unpkg · L36
add-email.jsView file
34async function sendOfficialNotify(root, ctx) { L35: const require = createRequire(path.join(root, "package.json")); L36: let appName = "unknown";
Medium
Dynamic Require

Package source references dynamic require/import behavior.

add-email.jsView on unpkg · L34
107patternName = generic_password severity = medium line = 107 matchedText = const pa...m();
Medium
Secret Pattern

Hardcoded password in add-email.js

add-email.jsView on unpkg · L107
skeleton/.4bnode/assets/fonts/NotoSans-SemiBold.woff2View file
path = skeleton/.4bnode/assets/fonts/NotoSans-SemiBold.woff2 kind = high_entropy_blob sizeBytes = 208184 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skeleton/.4bnode/assets/fonts/NotoSans-SemiBold.woff2View on unpkg

Findings

2 Critical4 High5 Medium6 Low
CriticalCritical Secretskeleton/.env
CriticalPrevious Version Dangerous Deltaindex.js
HighChild Processindex.js
HighShell
HighRuntime Package Installindex.js
HighShips High Entropy Blobskeleton/.4bnode/assets/fonts/NotoSans-SemiBold.woff2
MediumDynamic Requireadd-email.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternadd-email.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalscripts/audit-dev-surface.mjs
LowFilesystem
LowHigh Entropy Strings
LowNo License