registry  /  @ka-libs/crypto  /  1.0.0

@ka-libs/crypto@1.0.0

Cross-environment crypto utility for Node.js & Browser, implement RSA-AES hybrid encryption based on native Web Crypto / Node.js crypto without third-party dependencies.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package implements user-invoked RSA/AES, UUID, random byte, and key export helpers consistent with its manifest and README.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports and explicitly calls exported crypto functions
Impact
Caller-requested encryption/decryption or generated PEM files; no unsolicited network, install-time, or import-time behavior observed
Mechanism
WebCrypto-based cryptographic utilities with optional keypair file export
Rationale
Static inspection shows package-aligned crypto functionality and a user-invoked key export helper, with no lifecycle execution, network exfiltration, credential harvesting, shell execution, persistence, or destructive behavior. The scanner's private-key-looking finding is generated PEM formatting returned to the caller, not an embedded secret or exfiltration mechanism.
Evidence
package.jsondist/esm/index.jsdist/cjs/index.cjsdist/esm/core/keyPairs.jsdist/esm/lib/exportKeyPairs.jsdist/esm/core/getCrypto.jsdist/esm/cripter/aesEncrypt.jsdist/esm/cripter/rsaEncrypt.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/esm/lib/exportKeyPairs.js can write generated public.pem/private.pem to a caller-supplied directory
  • dist/esm/core/keyPairs.js returns generated PEM private key text, matching crypto utility purpose
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • dist/esm/index.js only re-exports crypto helper modules; no import-time side effects found
  • dist/esm/core/getCrypto.js only selects WebCrypto or Node crypto.webcrypto
  • No fetch/http/WebSocket endpoints or exfiltration code found by source search
  • dist/esm/cripter/* performs AES-GCM/RSA-OAEP encrypt/decrypt on caller-provided data
  • No child_process, eval, persistence, credential harvesting, or destructive file operations found
Behavioral surface
Source
CryptoFilesystem
Supply chain
MinifiedObfuscated
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 13.9 KB of source

Source & flagged code

3 flagged · loading source
dist/esm/core/keyPairs.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = import{a...rs};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/esm/core/keyPairs.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = import{a...rs};
Critical
Secret Pattern

RSA private key in dist/esm/core/keyPairs.js

dist/esm/core/keyPairs.jsView on unpkg · L1
dist/cjs/index.cjsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...5=w;
Critical
Secret Pattern

RSA private key in dist/cjs/index.cjs

dist/cjs/index.cjsView on unpkg · L1

Findings

3 Critical3 Low
CriticalCritical Secretdist/esm/core/keyPairs.js
CriticalSecret Patterndist/esm/core/keyPairs.js
CriticalSecret Patterndist/cjs/index.cjs
LowScripts Present
LowFilesystem
LowObfuscated