registry  /  @florent-uzio/custody  /  2.6.1

@florent-uzio/custody@2.6.1

An SDK to interact with the Ripple Custody API

AI Security Review

scanned 7h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network behavior is the SDK's user-configured Ripple Custody API/authentication transport.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer constructs `RippleCustody` and invokes an API operation or version detection.
Impact
No unconsented installation-time execution, credential harvesting, persistence, or foreign-control-surface mutation was established.
Mechanism
Signs a caller-provided challenge and sends authenticated HTTP requests to caller-provided service URLs.
Rationale
The scanner's secret signal is explained by legitimate local secp256k1 private-key generation and signing. Runtime network calls are package-aligned SDK behavior and target caller-configured URLs, with no malicious execution chain found.
Evidence
package.jsondist/index.jsdist/ripple-custody.jsdist/services/apis/api.service.jsdist/services/auth/auth.service.jsdist/services/keypairs/secp256k1.service.jsdist/versioning/detect.js

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has only `prepare` and `prepublishOnly` build/test hooks; no install hook.
    • `dist/index.js` is a re-export entrypoint with no import-time network or filesystem action.
    • `dist/services/apis/api.service.js` sends authenticated requests only to caller-supplied `apiUrl`.
    • `dist/services/auth/auth.service.js` posts signed challenge data only to caller-supplied `authUrl`.
    • `dist/services/keypairs/secp256k1.service.js` generates/signs keys locally; it contains no embedded secret or exfiltration.
    • No filesystem, process, child-process, eval, dynamic import, or agent-config mutation was found in `dist`.
    Behavioral surface
    Source
    CryptoNetwork
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 130 file(s), 601 KB of source

    Source & flagged code

    4 flagged · loading source
    dist/services/keypairs/secp256k1.service.jsView file
    58patternName = private_key_ec severity = critical line = 58 matchedText = const ha...-");
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/services/keypairs/secp256k1.service.jsView on unpkg · L58
    58patternName = private_key_ec severity = critical line = 58 matchedText = const ha...-");
    Critical
    Secret Pattern

    EC private key in dist/services/keypairs/secp256k1.service.js

    dist/services/keypairs/secp256k1.service.jsView on unpkg · L58
    dist/services/keypairs/ed25519.service.jsView file
    50patternName = private_key_rsa severity = critical line = 50 matchedText = if (!isS...)) {
    Critical
    Secret Pattern

    RSA private key in dist/services/keypairs/ed25519.service.js

    dist/services/keypairs/ed25519.service.jsView on unpkg · L50
    dist/services/keypairs/secp256r1.service.jsView file
    58patternName = private_key_ec severity = critical line = 58 matchedText = const ha...-");
    Critical
    Secret Pattern

    EC private key in dist/services/keypairs/secp256r1.service.js

    dist/services/keypairs/secp256r1.service.jsView on unpkg · L58

    Findings

    4 Critical1 Medium3 Low
    CriticalCritical Secretdist/services/keypairs/secp256k1.service.js
    CriticalSecret Patterndist/services/keypairs/secp256k1.service.js
    CriticalSecret Patterndist/services/keypairs/ed25519.service.js
    CriticalSecret Patterndist/services/keypairs/secp256r1.service.js
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings