registry  /  @ka-libs/crypto  /  1.1.0

@ka-libs/crypto@1.1.0

Cross-environment crypto utility for Node.js & Browser, implement RSA-AES hybrid encryption based on native Web Crypto / Node.js crypto without third-party dependencies.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed attack surface beyond package-aligned cryptographic utility behavior. Key generation, encryption/decryption, random bytes, UUIDs, and optional user-invoked key export match the package purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing exports is inert; runtime crypto helpers execute only when application code calls them.
Impact
No credential harvesting, exfiltration, persistence, destructive behavior, or install-time execution identified.
Mechanism
native WebCrypto/Node crypto wrapper with optional PEM file export
Rationale
Static source inspection shows a zero-dependency crypto helper package with no lifecycle execution or network behavior. The suspicious private-key pattern is part of a key generation API returning newly generated PEM material and is package-aligned.
Evidence
package.jsondist/esm/index.jsdist/cjs/index.cjsdist/esm/core/keyPairs.jsdist/esm/lib/exportKeyPairs.jsdist/esm/cripter/encrypt.jsdist/esm/cripter/decrypt.jsdist/esm/core/getCrypto.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks
    • Entrypoints dist/esm/index.js and dist/cjs/index.cjs only export crypto helpers
    • dist/esm/core/keyPairs.js generates a fresh RSA keypair and returns PEM strings; scanner secret hit is generated output text, not embedded secret material
    • No network APIs or endpoints found in source inspection
    • Only filesystem write is user-invoked exportKeyPairs writing public.pem/private.pem to caller-supplied directory
    Behavioral surface
    Source
    CryptoFilesystem
    Supply chain
    MinifiedObfuscated
    ManifestNo manifest risk signals triggered.
    scanned 39 file(s), 13.9 KB of source

    Source & flagged code

    3 flagged · loading source
    dist/esm/core/keyPairs.jsView file
    1patternName = private_key_rsa severity = critical line = 1 matchedText = import{a...rs};
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/esm/core/keyPairs.jsView on unpkg · L1
    1patternName = private_key_rsa severity = critical line = 1 matchedText = import{a...rs};
    Critical
    Secret Pattern

    RSA private key in dist/esm/core/keyPairs.js

    dist/esm/core/keyPairs.jsView on unpkg · L1
    dist/cjs/index.cjsView file
    1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...5=w;
    Critical
    Secret Pattern

    RSA private key in dist/cjs/index.cjs

    dist/cjs/index.cjsView on unpkg · L1

    Findings

    3 Critical3 Low
    CriticalCritical Secretdist/esm/core/keyPairs.js
    CriticalSecret Patterndist/esm/core/keyPairs.js
    CriticalSecret Patterndist/cjs/index.cjs
    LowScripts Present
    LowFilesystem
    LowObfuscated