AI Security Review
scanned 2h ago · by lpm-firewall-aiThe exported browser API collects a broad device/browser fingerprint when explicitly invoked. It processes values locally in embedded WASM and returns the result to the caller; no package-owned exfiltration endpoint is present.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer calls `collect()` or `getFingerprint()` at runtime.
Impact
Enables application-level device tracking if a consuming site transmits or correlates the returned fingerprint.
Mechanism
User-invoked browser fingerprint collection and local WASM hashing.
Rationale
This is not malware or an install-time attack, but it intentionally supplies a high-risk browser-fingerprinting capability with broad user-agent signal collection. A warn verdict is appropriate for the dangerous tracking capability despite no confirmed package-owned exfiltration.
Evidence
package.jsondist/fingerprint.esm.jsdist/fingerprint.umd.jsdist/index.d.tsdist/demo.html
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/fingerprint.esm.js` exports `collect`, which gathers browser/device signals including canvas, WebGL, audio, battery, speech voices, and permission states.
- `collect()` hashes the collected values in embedded WASM and returns a stable fingerprint plus risk/entropy metadata.
- The package purpose and runtime behavior provide a browser-fingerprinting capability that can be used for tracking.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
- `dist/fingerprint.esm.js` runs collection only when the consumer calls the exported `collect`/`getFingerprint` API.
- Reviewed runtime bundles contain no fetch/XHR/beacon/WebSocket construction, credential harvesting, filesystem access, shell execution, or dynamic code execution.
- The embedded WASM is decoded locally and instantiated for fingerprint computation; no remote payload is loaded.
Behavioral surface
HighEntropyStringsMinified
Source & flagged code
3 flagged · loading sourcedist/fingerprint.esm.jsView file
6patternName = aws_access_key
severity = critical
line = 6
matchedText = const WA...h0";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/fingerprint.esm.jsView on unpkg · L66patternName = aws_access_key
severity = critical
line = 6
matchedText = const WA...h0";
Critical
dist/fingerprint.umd.jsView file
23patternName = aws_access_key
severity = critical
line = 23
matchedText = const WA...h0";
Critical
Secret Pattern
AWS access key ID in dist/fingerprint.umd.js
dist/fingerprint.umd.jsView on unpkg · L23Findings
3 Critical3 Low
CriticalCritical Secretdist/fingerprint.esm.js
CriticalSecret Patterndist/fingerprint.esm.js
CriticalSecret Patterndist/fingerprint.umd.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings