registry  /  @exulu/backend  /  2.1.0

@exulu/backend@2.1.0

⚠ Under review

**Exulu IMP** (Intelligence Management Platform) is an open-source TypeScript framework for building production-ready AI agent applications. It provides the backend infrastructure for managing agents, semantic search contexts, background job processing, a

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 50 file(s), 2.43 MB of source, external domains: console.cloud.google.com, www.google.com, www.python.org

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.preinstall = node -e "if (process.version !== 'v22.18.0') { console.error('❌ Wrong Node.js version. Expected v22.18.0, got ' + process.version); process.exit(1); }"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = node -e "if (process.version !== 'v22.18.0') { console.error('❌ Wrong Node.js version. Expected v22.18.0, got ' + process.version); process.exit(1); }"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
17820patternName = private_key_rsa severity = critical line = 17820 matchedText = "private...--",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L17820
17820patternName = private_key_rsa severity = critical line = 17820 matchedText = "private...--",
Critical
Secret Pattern

RSA private key in dist/index.js

dist/index.jsView on unpkg · L17820
88var redisServer = { L89: host: process.env.REDIS_HOST ?? "", L90: port: process.env.REDIS_PORT ?? "", ... L349: }; L350: var resolveLiteLLMConfigPath = () => process.env.LITELLM_CONFIG_PATH ?? resolve(process.cwd(), "./config.litellm.yaml"); L351: var parseEmbeddingModels = (configPath) => { ... L507: contentType: type, L508: metadata: { L509: ...metadata, ... L553: const text = this.encoder.decode(tokens); L554: return new TextDecoder().decode(text); L555: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L88
ee/python/setup.shView file
path = ee/python/setup.sh kind = build_helper sizeBytes = 10741 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

ee/python/setup.shView on unpkg
ee/python/transcription/tests/__init__.pyView file
path = ee/python/transcription/tests/__init__.py kind = payload_in_excluded_dir sizeBytes = 0
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

ee/python/transcription/tests/__init__.pyView on unpkg
dist/cli/start-whisper.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @exulu/backend@1.70.0 matchedIdentity = npm:QGV4dWx1L2JhY2tlbmQ:1.70.0 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/start-whisper.cjsView on unpkg
dist/index.cjsView file
25182patternName = private_key_rsa severity = critical line = 25182 matchedText = "private...--",
Critical
Secret Pattern

RSA private key in dist/index.cjs

dist/index.cjsView on unpkg · L25182

Findings

5 Critical2 High6 Medium7 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCritical Secretdist/index.js
CriticalPrevious Version Dangerous Deltadist/cli/start-whisper.cjs
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighPayload In Excluded Diree/python/transcription/tests/__init__.py
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperee/python/setup.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License