AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package implements user-invoked RSA/AES, UUID, random byte, and key export helpers consistent with its manifest and README.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports and explicitly calls exported crypto functions
Impact
Caller-requested encryption/decryption or generated PEM files; no unsolicited network, install-time, or import-time behavior observed
Mechanism
WebCrypto-based cryptographic utilities with optional keypair file export
Rationale
Static inspection shows package-aligned crypto functionality and a user-invoked key export helper, with no lifecycle execution, network exfiltration, credential harvesting, shell execution, persistence, or destructive behavior. The scanner's private-key-looking finding is generated PEM formatting returned to the caller, not an embedded secret or exfiltration mechanism.
Evidence
package.jsondist/esm/index.jsdist/cjs/index.cjsdist/esm/core/keyPairs.jsdist/esm/lib/exportKeyPairs.jsdist/esm/core/getCrypto.jsdist/esm/cripter/aesEncrypt.jsdist/esm/cripter/rsaEncrypt.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/esm/lib/exportKeyPairs.js can write generated public.pem/private.pem to a caller-supplied directory
- dist/esm/core/keyPairs.js returns generated PEM private key text, matching crypto utility purpose
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- dist/esm/index.js only re-exports crypto helper modules; no import-time side effects found
- dist/esm/core/getCrypto.js only selects WebCrypto or Node crypto.webcrypto
- No fetch/http/WebSocket endpoints or exfiltration code found by source search
- dist/esm/cripter/* performs AES-GCM/RSA-OAEP encrypt/decrypt on caller-provided data
- No child_process, eval, persistence, credential harvesting, or destructive file operations found
Behavioral surface
CryptoFilesystem
MinifiedObfuscated
Source & flagged code
3 flagged · loading sourcedist/esm/core/keyPairs.jsView file
1patternName = private_key_rsa
severity = critical
line = 1
matchedText = import{a...rs};
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/esm/core/keyPairs.jsView on unpkg · L11patternName = private_key_rsa
severity = critical
line = 1
matchedText = import{a...rs};
Critical
Secret Pattern
RSA private key in dist/esm/core/keyPairs.js
dist/esm/core/keyPairs.jsView on unpkg · L1dist/cjs/index.cjsView file
1patternName = private_key_rsa
severity = critical
line = 1
matchedText = "use str...5=w;
Critical
Findings
3 Critical3 Low
CriticalCritical Secretdist/esm/core/keyPairs.js
CriticalSecret Patterndist/esm/core/keyPairs.js
CriticalSecret Patterndist/cjs/index.cjs
LowScripts Present
LowFilesystem
LowObfuscated