AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an explicit CDN and edge-optimization management client that can mutate configured AWS/Fastly resources when its exported methods are called with caller-provided credentials.
Decision evidence
public snapshot- `package.json` has no preinstall/install/postinstall hooks or bin entrypoint.
- `src/index.js` exports a client; import only defines classes/functions.
- `src/cdn/cloudfront/index.js` performs named CloudFront/IAM/Lambda control-plane actions only through explicit exported calls.
- `src/fastly-kv-client.js` and `src/cdn/fastly-cdn-client.js` call Fastly APIs using caller-supplied configuration.
- `test/cdn/cloudfront-cdn-client.test.js` contains documented AWS EXAMPLE test credentials, not live package secrets.
- No source use of shell execution, eval/vm, filesystem harvesting, or local persistence was found.
Source & flagged code
4 flagged · loading sourcePackage contains a critical-looking secret pattern.
test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L104AWS access key ID in test/cdn/cloudfront-cdn-client.test.js
test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L104AWS access key ID in test/cdn/cloudfront-cdn-client.test.js
test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L140AWS access key ID in test/cdn/cloudfront-cdn-client.test.js
test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L252