AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime network activity is limited to the package's configured Supabase backend for its product-management UI.
Static reason
One or more suspicious static signals were detected.
Trigger
A host application imports and renders the module; CRUD actions are initiated through its UI.
Impact
User-authorized application data may be read or modified according to Supabase permissions; no unconsented host mutation or exfiltration was found.
Mechanism
Supabase-backed authenticated product-design CRUD.
Rationale
Source inspection shows a React product-design module using Supabase for expected application data operations. Static secret and environment-variable hints are explained by a publishable Supabase client key and lazily read server configuration, with no malicious execution chain.
Evidence
package.jsondist-lib/integrations/supabase/client.jsdist-lib/integrations/supabase/client.server.jsdist-lib/integrations/supabase/auth-middleware.jsdist-lib/components/settings/ProductontwerpSettingsCard.jsdist-lib/index.jsdist-lib/integrations/supabase/auth-attacher.js
Network endpoints1
vmicscahrnzpmhagztmx.supabase.co
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- Browser client configures Supabase at a fixed project URL.
- UI components perform authenticated CRUD for product-design records.
- Server helpers read Supabase environment variables only when invoked.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- No child-process, shell, eval, dynamic loading, or filesystem APIs appear in shipped JavaScript.
- The flagged JWT is a Supabase anon/publishable client key, not a service-role secret.
- The settings API-key field is inert: its save handler only shows a success toast.
- No exfiltration endpoint, credential harvesting, persistence, or AI-agent configuration writes found.
Behavioral surface
EnvironmentVars
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist-lib/integrations/supabase/client.jsView file
4patternName = supabase_service_key
severity = critical
line = 4
matchedText = const SU...kQ";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist-lib/integrations/supabase/client.jsView on unpkg · L44patternName = supabase_service_key
severity = critical
line = 4
matchedText = const SU...kQ";
Critical
Secret Pattern
Supabase service role key (JWT) in dist-lib/integrations/supabase/client.js
dist-lib/integrations/supabase/client.jsView on unpkg · L4Findings
2 Critical1 Medium4 Low
CriticalCritical Secretdist-lib/integrations/supabase/client.js
CriticalSecret Patterndist-lib/integrations/supabase/client.js
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License