AI Security Review
scanned 3h ago · by lpm-firewall-aiRuntime fiscal requests disable TLS peer verification for mTLS connections. This can permit an on-path attacker to impersonate configured HTTPS fiscal endpoints and observe or alter transaction traffic.
Static reason
No blocking static signals were detected.
Trigger
A consumer calls an NFC-e, NF-e, or CT-e operation that contacts SEFAZ.
Impact
Potential interception or manipulation of fiscal request and response data on a hostile network.
Mechanism
HTTPS mTLS request with certificate verification disabled.
Rationale
The package appears aligned with its documented fiscal-provider purpose and shows no malicious execution, persistence, or exfiltration behavior. Its explicit TLS-verification bypass is a material transport-security vulnerability, so it should be warned rather than treated as clean.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints4
nfe.fazenda.sp.gov.brnfe.svrs.rs.gov.brbrasilapi.com.br/api/cnpj/v1/receitaws.com.br/v1/cnpj/
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/index.js` disables TLS certificate verification (`rejectUnauthorized: false`) for SEFAZ mTLS requests.
- The disabled verification applies during user-invoked fiscal SOAP operations, creating a network MITM integrity risk.
Evidence against
- `package.json` has no preinstall, install, or postinstall hooks.
- The published package contains only `dist` artifacts and type declarations.
- `dist/index.js` imports no filesystem or child-process modules and contains no file-write or shell-execution primitives.
- Network requests implement documented fiscal-provider functions, including SEFAZ SOAP, SAT/NFS-e configured URLs, and public CNPJ lookups.
- `MOCK_SEFAZ_URL` is a test override rather than credential harvesting or exfiltration.
- No AI-agent configuration, persistence, remote payload loading, or destructive behavior was found.
Behavioral surface
CryptoEnvironmentVarsNetwork
HighEntropyStringsObfuscatedUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Stripped Provenance Metadata
`dist/index.js` disables TLS certificate verification (`rejectUnauthorized: false`) for SEFAZ mTLS requests.
package.jsonView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumStripped Provenance Metadatapackage.json
MediumAi Review Evidence
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings