registry  /  @decentnetwork/peer  /  0.1.73

@decentnetwork/peer@0.1.73

Pure TypeScript port of Elastos Carrier (toxcore-derived) P2P messaging. DHT, onion routing, TCP relay, FlatBuffers app payloads, Express offline relay. Wire-compatible with iOS Beagle and the Carrier C SDK.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network and file writes are package-aligned peer messaging behavior activated by library/CLI use.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports library and calls Peer.start/joinNetwork, or runs decent-peer CLI commands.
Impact
Creates local peer identity/config/friend state and contacts configured bootstrap/relay nodes for messaging.
Mechanism
P2P messaging client with UDP/TCP/TURN/HTTPS relay support and local peer state persistence.
Rationale
Static inspection shows a legitimate P2P messaging package whose network, env var, crypto, and local file operations are consistent with user-invoked peer functionality. Scanner hits such as hardcoded relay credentials and MD5/STUN code are protocol/service details, not evidence of malware.
Evidence
package.jsondist/index.jsdist/cli.jsdist/peer.jsdist/crypto/keypair.jsdist/compat/express.jsdist/transport/udp.js~/.decent-peer/config.json~/.decent-peer/peer.save<keyFile>.friends.json
Network endpoints3
47.100.103.201:33445tokyo.fi.chat:3478${node.host}:${node.port}/${path}

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks; only prepublishOnly build/typecheck.
    • dist/index.js only re-exports modules; no import-time execution beyond constants.
    • dist/cli.js writes config only via explicit decent-peer init and uses DECENT_PEER_CONFIG override.
    • dist/peer.js network behavior is P2P/DHT/TURN/relay functionality aligned with package purpose.
    • dist/crypto/keypair.js creates/reads only the configured peer identity key file.
    • No child_process, eval, Function, dynamic remote code loading, credential harvesting, or AI-agent config mutation found.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStrings
    Manifest
    CopyleftLicense
    scanned 43 file(s), 446 KB of source

    Source & flagged code

    2 flagged · loading source
    dist/peer.jsView file
    30patternName = generic_password severity = medium line = 30 matchedText = { host: ...s" }
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/peer.jsView on unpkg · L30
    dist/stun.jsView file
    123const hmacInput = concatBytes([headerForHmac, body]); L124: const hmac = createHmac("sha1", Buffer.from(opts.integrityKey)).update(hmacInput).digest(); L125: body = concatBytes([
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/stun.jsView on unpkg · L123

    Findings

    3 Medium6 Low
    MediumSecret Patterndist/peer.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptodist/stun.js
    LowFilesystem
    LowHigh Entropy Strings
    LowCopyleft License