AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime use is limited to the package's declared Supabase-backed product-management functionality.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders or invokes exported product-management components.
Impact
Authorized application users can read or modify application product data according to configured Supabase permissions.
Mechanism
Supabase authentication and CRUD for product and BOM data.
Rationale
Static source inspection shows a React product-design module that uses Supabase for its stated data functions. The scanner's secret signal is a public Supabase anon key; no concrete malicious behavior or install-time execution is present.
Evidence
package.jsondist-lib/index.jsdist-lib/integrations/supabase/client.jsdist-lib/integrations/supabase/client.server.jsdist-lib/integrations/supabase/auth-middleware.jsdist-lib/components/productontwerp/ProductSamenstellingDialog.jsdist-lib/integrations/supabase/auth-attacher.js
Network endpoints1
vmicscahrnzpmhagztmx.supabase.co
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist-lib/integrations/supabase/client.js` initializes a Supabase client with a public anon key and persistent browser session storage.
- Product UI components issue Supabase CRUD calls for product and BOM records.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hooks.
- `dist-lib/index.js` only exports UI/module components; it has no import-time network or shell execution.
- `dist-lib/integrations/supabase/client.server.js` reads service-role credentials only from runtime environment variables.
- No child-process, dynamic-code, filesystem-harvesting, exfiltration, persistence, or AI-agent-control writes were found.
- The flagged JWT is explicitly a Supabase publishable/anon client key, not an embedded service credential.
Behavioral surface
EnvironmentVars
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist-lib/integrations/supabase/client.jsView file
4patternName = supabase_service_key
severity = critical
line = 4
matchedText = const SU...kQ";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist-lib/integrations/supabase/client.jsView on unpkg · L44patternName = supabase_service_key
severity = critical
line = 4
matchedText = const SU...kQ";
Critical
Secret Pattern
Supabase service role key (JWT) in dist-lib/integrations/supabase/client.js
dist-lib/integrations/supabase/client.jsView on unpkg · L4Findings
2 Critical1 Medium4 Low
CriticalCritical Secretdist-lib/integrations/supabase/client.js
CriticalSecret Patterndist-lib/integrations/supabase/client.js
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License