registry  /  @axiom-lattice/microsandbox-service  /  0.0.51

@axiom-lattice/microsandbox-service@0.0.51

`@axiom-lattice/microsandbox-service` runs an HTTP service for managing microsandbox-backed sandbox lifecycle operations.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is a user-invoked microsandbox management service. It contains shell command injection risk in API-reachable msb CLI wrappers, but no evidence of intentional malware or install-time compromise.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs lattice-microsandbox-service and an API caller supplies crafted image ref or sandbox name.
Impact
Potential host command execution in the service process context if exposed to untrusted callers.
Mechanism
unsanitized string interpolation into child_process.exec shell commands
Rationale
Static source inspection found a real API-reachable shell injection risk, so this should not be marked clean. There is no lifecycle hook, stealth persistence, exfiltration, or unconsented AI-agent control mutation indicating malicious package intent.
Evidence
package.jsonsrc/cli.tssrc/server.tssrc/app.tssrc/services/ImageService.tssrc/services/MicrosandboxRuntimeService.tssrc/services/SandboxRegistry.tssrc/controllers/volume-fs.tssrc/schemas/sandbox.ts/proc/net/unix/root/.microsandbox/run/agent~/.microsandbox/bin/msb~/.microsandbox/volumes
Network endpoints1
localhost:4002

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • src/services/ImageService.ts uses execAsync with shell-interpolated image refs for msb image pull/inspect/rm.
  • src/services/MicrosandboxRuntimeService.ts readMsbInspect interpolates sandbox name into execAsync shell command.
  • src/server.ts binds default host to 0.0.0.0; API key is optional via MICROSANDBOX_API_KEY.
  • src/schemas/images.ts and sandbox name params do not appear to shell-escape refs/names before those exec paths.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • src/cli.ts only starts the Fastify service when the bin is invoked.
  • No hardcoded exfiltration or C2 endpoints found; only localhost Swagger URL and user/configured OCI image refs.
  • No eval/vm/Function, obfuscated payload, credential harvesting, persistence, or AI-agent control-surface mutation found.
  • Sandbox file/command APIs are explicit runtime service features aligned with package purpose.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 30 file(s), 114 KB of source

Source & flagged code

1 flagged · loading source
dist/chunk-IKWYDXRG.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @axiom-lattice/microsandbox-service@0.0.49 matchedIdentity = npm:[redacted]:0.0.49 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-IKWYDXRG.mjsView on unpkg

Findings

1 High1 Medium3 Low
HighPrevious Version Dangerous Deltadist/chunk-IKWYDXRG.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowNo License