registry  /  @akshay2642005/fingerprint-sdk  /  0.1.1

@akshay2642005/fingerprint-sdk@0.1.1

Browser fingerprinting SDK — 102 signals, WASM-powered. Zero setup, just a script tag.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The exported browser API collects a broad device/browser fingerprint when explicitly invoked. It processes values locally in embedded WASM and returns the result to the caller; no package-owned exfiltration endpoint is present.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer calls `collect()` or `getFingerprint()` at runtime.
Impact
Enables application-level device tracking if a consuming site transmits or correlates the returned fingerprint.
Mechanism
User-invoked browser fingerprint collection and local WASM hashing.
Rationale
This is not malware or an install-time attack, but it intentionally supplies a high-risk browser-fingerprinting capability with broad user-agent signal collection. A warn verdict is appropriate for the dangerous tracking capability despite no confirmed package-owned exfiltration.
Evidence
package.jsondist/fingerprint.esm.jsdist/fingerprint.umd.jsdist/index.d.tsdist/demo.html

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/fingerprint.esm.js` exports `collect`, which gathers browser/device signals including canvas, WebGL, audio, battery, speech voices, and permission states.
  • `collect()` hashes the collected values in embedded WASM and returns a stable fingerprint plus risk/entropy metadata.
  • The package purpose and runtime behavior provide a browser-fingerprinting capability that can be used for tracking.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
  • `dist/fingerprint.esm.js` runs collection only when the consumer calls the exported `collect`/`getFingerprint` API.
  • Reviewed runtime bundles contain no fetch/XHR/beacon/WebSocket construction, credential harvesting, filesystem access, shell execution, or dynamic code execution.
  • The embedded WASM is decoded locally and instantiated for fingerprint computation; no remote payload is loaded.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinified
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.11 MB of source

Source & flagged code

3 flagged · loading source
dist/fingerprint.esm.jsView file
6patternName = aws_access_key severity = critical line = 6 matchedText = const WA...h0";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/fingerprint.esm.jsView on unpkg · L6
6patternName = aws_access_key severity = critical line = 6 matchedText = const WA...h0";
Critical
Secret Pattern

AWS access key ID in dist/fingerprint.esm.js

dist/fingerprint.esm.jsView on unpkg · L6
dist/fingerprint.umd.jsView file
23patternName = aws_access_key severity = critical line = 23 matchedText = const WA...h0";
Critical
Secret Pattern

AWS access key ID in dist/fingerprint.umd.js

dist/fingerprint.umd.jsView on unpkg · L23

Findings

3 Critical3 Low
CriticalCritical Secretdist/fingerprint.esm.js
CriticalSecret Patterndist/fingerprint.esm.js
CriticalSecret Patterndist/fingerprint.umd.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings