AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a generated Alibaba Cloud EIAM SDK with user-invoked API calls and data model classes.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports the SDK and explicitly calls client methods.
Impact
Expected Alibaba Cloud EIAM API requests only; no install-time execution or local credential/file harvesting observed.
Mechanism
Generated OpenAPI RPC client
Rationale
Static source inspection shows a generated Alibaba Cloud SDK with publish-time TypeScript compilation and user-invoked HTTPS API methods. The scanner secret hit is a request model property named password, not embedded credentials or exfiltration code.
Evidence
package.jsondist/client.jssrc/client.tsdist/models/CreateUserRequest.jssrc/models/CreateUserRequest.tsREADME.md
Network endpoints6
eiam.eu-central-1.aliyuncs.comeiam.cn-hongkong.aliyuncs.comeiam.cn-hangzhou.aliyuncs.comeiam.ap-southeast-5.aliyuncs.comeiam.ap-southeast-1.aliyuncs.comeiam.ap-northeast-2.aliyuncs.com
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has prepublishOnly script, but it is publish-time tsc, not install-time execution.
- dist/models/CreateUserRequest.js contains a password field model, matching the scanner secret-pattern hint but not a hardcoded secret.
Evidence against
- package.json has no preinstall/install/postinstall/prepare hooks and no bin entry.
- dist/client.js is an auto-generated Alibaba Cloud OpenAPI client; methods call this.callApi only when user invokes SDK methods.
- dist/client.js imports only @darabonba/typescript, @alicloud/openapi-core, and local models.
- rg found no child_process, fs file I/O, process.env harvesting, eval/Function, native binaries, or AI-agent control-surface writes.
- Network hosts are Alibaba EIAM service endpoints in the client endpoint map.
Behavioral surface
Source & flagged code
4 flagged · loading sourcedist/models/CreateUserRequest.jsView file
99patternName = generic_password
severity = medium
line = 99
matchedText = password...rd',
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/models/CreateUserRequest.jsView on unpkg · L99dist/models/UpdateUserPasswordRequest.jsView file
43patternName = generic_password
severity = medium
line = 43
matchedText = password...rd',
Medium
Secret Pattern
Hardcoded password in dist/models/UpdateUserPasswordRequest.js
dist/models/UpdateUserPasswordRequest.jsView on unpkg · L43src/models/CreateUserRequest.tsView file
252patternName = generic_password
severity = medium
line = 252
matchedText = password...rd',
Medium
Secret Pattern
Hardcoded password in src/models/CreateUserRequest.ts
src/models/CreateUserRequest.tsView on unpkg · L252src/models/UpdateUserPasswordRequest.tsView file
58patternName = generic_password
severity = medium
line = 58
matchedText = password...rd',
Medium
Secret Pattern
Hardcoded password in src/models/UpdateUserPasswordRequest.ts
src/models/UpdateUserPasswordRequest.tsView on unpkg · L58Findings
4 Medium2 Low
MediumSecret Patterndist/models/CreateUserRequest.js
MediumSecret Patterndist/models/UpdateUserPasswordRequest.js
MediumSecret Patternsrc/models/CreateUserRequest.ts
MediumSecret Patternsrc/models/UpdateUserPasswordRequest.ts
LowNon Install Lifecycle Scripts
LowScripts Present