AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package exposes user-invoked cryptographic helpers and one documented key export helper; there is no install-time execution, exfiltration, persistence, or remote payload loading.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports and calls exported crypto functions.
Impact
Caller-requested encryption/decryption/key generation only; no unsolicited project mutation observed.
Mechanism
WebCrypto RSA/AES utilities with optional explicit key file export
Rationale
The scanner's critical secret finding is a false positive on generated PEM formatting strings in keyPairs, not a bundled secret. File writes are limited to a documented, explicit exportKeyPairs API and no concrete malicious behavior is present.
Evidence
package.jsondist/esm/index.jsdist/esm/core/keyPairs.jsdist/esm/lib/exportKeyPairs.jsdist/esm/cripter/aesEncrypt.jsdist/esm/cripter/aesDecrypt.jsdist/esm/cripter/rsaEncrypt.jsdist/esm/cripter/rsaDecrypt.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/esm/lib/exportKeyPairs.js writes public.pem/private.pem to a caller-provided directory, but only when explicitly invoked.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/esm/index.js only re-exports crypto utility functions; no import-time side effects observed.
- dist/esm/core/keyPairs.js generates a fresh RSA key pair and returns PEM strings; no embedded private key is present.
- dist/esm/cripter/* implements AES/RSA encrypt/decrypt using WebCrypto without network calls.
- rg found no fetch/XMLHttpRequest/http endpoints, child_process, eval/Function, or process.env harvesting.
- README.md documents exportKeyPairs as a user-called Node helper that writes generated key files.
Behavioral surface
CryptoFilesystem
MinifiedObfuscated
Source & flagged code
3 flagged · loading sourcedist/esm/core/keyPairs.jsView file
1patternName = private_key_rsa
severity = critical
line = 1
matchedText = import{a...rs};
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/esm/core/keyPairs.jsView on unpkg · L11patternName = private_key_rsa
severity = critical
line = 1
matchedText = import{a...rs};
Critical
Secret Pattern
RSA private key in dist/esm/core/keyPairs.js
dist/esm/core/keyPairs.jsView on unpkg · L1dist/cjs/index.cjsView file
1patternName = private_key_rsa
severity = critical
line = 1
matchedText = "use str...5=w;
Critical
Findings
3 Critical3 Low
CriticalCritical Secretdist/esm/core/keyPairs.js
CriticalSecret Patterndist/esm/core/keyPairs.js
CriticalSecret Patterndist/cjs/index.cjs
LowScripts Present
LowFilesystem
LowObfuscated