registry  /  @astraguard/sdk  /  1.2.0

@astraguard/sdk@1.2.0

License key management SDK with HWID binding, software protection, fraud detection and encrypted file distribution for developers

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by static inspection. The package exposes user-invoked DRM/license validation and security-check functions that may gather HWID/system signals and contact the configured AstraGuard API.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application imports the SDK and calls createClient methods or enableSecurity/security functions.
Impact
Expected SDK behavior can fingerprint a machine for license binding and may terminate the host process when the consumer enables security enforcement; no unconsented install-time behavior was found.
Mechanism
user-invoked license validation, HWID generation, and anti-tamper checks
Rationale
The suspicious primitives are aligned with the advertised DRM/license SDK and appear user-invoked rather than install-time or import-time compromise. Obfuscation increases false-positive risk but, after inspecting manifest, docs, type surface, and bundled entries, there is no concrete exfiltration, persistence, destructive action, or agent-control hijack chain.
Evidence
package.jsonREADME.mddist/index.d.tsdist/index.d.mtsdist/index.jsdist/index.mjs
Network endpoints3
api.astraguard.iowww.astraguard.iowww.astraguard.io/support

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js and dist/index.mjs are heavily obfuscated, including a dynamic __require shim, which reduces auditability.
  • Security APIs include anti-debug, environment integrity, runtime integrity, and optional process termination on violation.
  • SDK APIs collect/generated HWID from OS/network characteristics and send it during license validation/activation by design.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly builds before publishing.
  • README and types describe a license-management SDK; network API endpoint is caller-supplied and examples use https://api.astraguard.io.
  • Declared filesystem-facing APIs are limited to optional integrity baseline/hash checks; no install-time writes or AI-agent control-surface mutation found.
  • No credential harvesting, broad home-directory scanning, destructive operations, persistence, or remote payload execution confirmed in package files.
  • Obfuscated runtime exports match documented SDK/security functions in dist/index.d.ts and README.md.
Behavioral surface
Source
DynamicRequire
Supply chain
MinifiedProtestwareTrivial
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.22 MB of source

Source & flagged code

1 flagged · loading source
dist/index.jsView file
1'use strict';(function(d,e){const p0={d:0x2e0,e:0x4a2,f:0xe31,g:0xdf9,h:0x90e,i:0x7f1,j:0x405,k:0xa1d,l:'\x28\x77\x35\x75',m:0x4c5,n:0x117,o:0xbeb,p:0x8f,q:0x84c,r:0x5a0,s:0x11bb,t...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1

Findings

1 Critical1 Medium2 Low
CriticalProtestware
MediumDynamic Requiredist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present