registry  /  @alicloud/eiam20211201  /  2.17.1

@alicloud/eiam20211201@2.17.1

English | [简体中文](README-CN.md) ![](https://aliyunsdk-pages.alicdn.com/icons/AlibabaCloud.svg)

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a generated Alibaba Cloud EIAM SDK with user-invoked API calls and data model classes.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the SDK and explicitly calls client methods.
Impact
Expected Alibaba Cloud EIAM API requests only; no install-time execution or local credential/file harvesting observed.
Mechanism
Generated OpenAPI RPC client
Rationale
Static source inspection shows a generated Alibaba Cloud SDK with publish-time TypeScript compilation and user-invoked HTTPS API methods. The scanner secret hit is a request model property named password, not embedded credentials or exfiltration code.
Evidence
package.jsondist/client.jssrc/client.tsdist/models/CreateUserRequest.jssrc/models/CreateUserRequest.tsREADME.md
Network endpoints6
eiam.eu-central-1.aliyuncs.comeiam.cn-hongkong.aliyuncs.comeiam.cn-hangzhou.aliyuncs.comeiam.ap-southeast-5.aliyuncs.comeiam.ap-southeast-1.aliyuncs.comeiam.ap-northeast-2.aliyuncs.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepublishOnly script, but it is publish-time tsc, not install-time execution.
  • dist/models/CreateUserRequest.js contains a password field model, matching the scanner secret-pattern hint but not a hardcoded secret.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare hooks and no bin entry.
  • dist/client.js is an auto-generated Alibaba Cloud OpenAPI client; methods call this.callApi only when user invokes SDK methods.
  • dist/client.js imports only @darabonba/typescript, @alicloud/openapi-core, and local models.
  • rg found no child_process, fs file I/O, process.env harvesting, eval/Function, native binaries, or AI-agent control-surface writes.
  • Network hosts are Alibaba EIAM service endpoints in the client endpoint map.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2,092 file(s), 6.68 MB of source

Source & flagged code

4 flagged · loading source
dist/models/CreateUserRequest.jsView file
99patternName = generic_password severity = medium line = 99 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/models/CreateUserRequest.jsView on unpkg · L99
dist/models/UpdateUserPasswordRequest.jsView file
43patternName = generic_password severity = medium line = 43 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/models/UpdateUserPasswordRequest.js

dist/models/UpdateUserPasswordRequest.jsView on unpkg · L43
src/models/CreateUserRequest.tsView file
252patternName = generic_password severity = medium line = 252 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in src/models/CreateUserRequest.ts

src/models/CreateUserRequest.tsView on unpkg · L252
src/models/UpdateUserPasswordRequest.tsView file
58patternName = generic_password severity = medium line = 58 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in src/models/UpdateUserPasswordRequest.ts

src/models/UpdateUserPasswordRequest.tsView on unpkg · L58

Findings

4 Medium2 Low
MediumSecret Patterndist/models/CreateUserRequest.js
MediumSecret Patterndist/models/UpdateUserPasswordRequest.js
MediumSecret Patternsrc/models/CreateUserRequest.ts
MediumSecret Patternsrc/models/UpdateUserPasswordRequest.ts
LowNon Install Lifecycle Scripts
LowScripts Present