registry  /  @decentnetwork/peer  /  0.1.74

@decentnetwork/peer@0.1.74

Pure TypeScript port of Elastos Carrier (toxcore-derived) P2P messaging. DHT, onion routing, TCP relay, FlatBuffers app payloads, Express offline relay. Wire-compatible with iOS Beagle and the Carrier C SDK.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package implements an explicit P2P messaging peer that persists its own identity/friend state and talks to configured bootstrap, TURN, TCP relay, and optional HTTPS express relay endpoints.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs decent-peer subcommands or application code calls Peer.start()/joinNetwork()/send APIs.
Impact
Expected peer identity creation, message relay, and network traffic for the package's stated function; no unconsented install-time mutation or exfiltration found.
Mechanism
User-invoked P2P networking with local key/friend persistence
Rationale
Static source inspection shows suspicious primitives are package-aligned P2P, TURN/STUN, relay, and local identity persistence features invoked by users, with no install-time execution or concrete malicious chain. Mark clean.
Evidence
package.jsondist/index.jsdist/cli.jsdist/peer.jsdist/crypto/keypair.jsdist/compat/express.jsdist/stun.jsdist/turn.jsdist/turn-creds.jsdist/transport/udp.js~/.decent-peer/config.json~/.decent-peer/peer.save<keyFile><keyFile>.friends.json
Network endpoints3
47.100.103.201:33445tokyo.fi.chat:3478<express-node-host>:<express-node-port>/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime network code connects to configured P2P bootstrap/TURN/relay nodes, including 47.100.103.201:33445 and tokyo.fi.chat:3478.
  • CLI and Peer.start create/read local identity/config files such as ~/.decent-peer/config.json, keyFile, and <keyFile>.friends.json.
  • dist/compat/express.js can POST/GET/DELETE encrypted offline relay messages over HTTPS to user/configured express nodes.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build/typecheck script.
  • dist/index.js only re-exports modules; import does not start networking or filesystem writes.
  • Network/file behavior is activated by explicit CLI commands or Peer.start/joinNetwork and matches the documented P2P messaging purpose.
  • No child_process execution, eval/vm/Function, native addon, binary loading, credential harvesting, destructive action, or AI-agent control-surface writes found.
  • Hardcoded values are bootstrap/TURN relay addresses/credentials for the protocol, not exfiltration endpoints or embedded package secrets.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStrings
Manifest
CopyleftLicense
scanned 44 file(s), 461 KB of source

Source & flagged code

2 flagged · loading source
dist/peer.jsView file
30patternName = generic_password severity = medium line = 30 matchedText = { host: ...s" }
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/peer.jsView on unpkg · L30
dist/stun.jsView file
123const hmacInput = concatBytes([headerForHmac, body]); L124: const hmac = createHmac("sha1", Buffer.from(opts.integrityKey)).update(hmacInput).digest(); L125: body = concatBytes([
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/stun.jsView on unpkg · L123

Findings

3 Medium6 Low
MediumSecret Patterndist/peer.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/stun.js
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License