registry  /  @ka-libs/crypto  /  1.3.3

@ka-libs/crypto@1.3.3

Cross-environment crypto utility for Node.js & Browser, implement RSA-AES hybrid encryption based on native Web Crypto / Node.js crypto without third-party dependencies.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package exposes user-invoked cryptographic helpers and one documented key export helper; there is no install-time execution, exfiltration, persistence, or remote payload loading.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports and calls exported crypto functions.
Impact
Caller-requested encryption/decryption/key generation only; no unsolicited project mutation observed.
Mechanism
WebCrypto RSA/AES utilities with optional explicit key file export
Rationale
The scanner's critical secret finding is a false positive on generated PEM formatting strings in keyPairs, not a bundled secret. File writes are limited to a documented, explicit exportKeyPairs API and no concrete malicious behavior is present.
Evidence
package.jsondist/esm/index.jsdist/esm/core/keyPairs.jsdist/esm/lib/exportKeyPairs.jsdist/esm/cripter/aesEncrypt.jsdist/esm/cripter/aesDecrypt.jsdist/esm/cripter/rsaEncrypt.jsdist/esm/cripter/rsaDecrypt.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/esm/lib/exportKeyPairs.js writes public.pem/private.pem to a caller-provided directory, but only when explicitly invoked.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/esm/index.js only re-exports crypto utility functions; no import-time side effects observed.
  • dist/esm/core/keyPairs.js generates a fresh RSA key pair and returns PEM strings; no embedded private key is present.
  • dist/esm/cripter/* implements AES/RSA encrypt/decrypt using WebCrypto without network calls.
  • rg found no fetch/XMLHttpRequest/http endpoints, child_process, eval/Function, or process.env harvesting.
  • README.md documents exportKeyPairs as a user-called Node helper that writes generated key files.
Behavioral surface
Source
CryptoFilesystem
Supply chain
MinifiedObfuscated
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 14.8 KB of source

Source & flagged code

3 flagged · loading source
dist/esm/core/keyPairs.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = import{a...rs};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/esm/core/keyPairs.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = import{a...rs};
Critical
Secret Pattern

RSA private key in dist/esm/core/keyPairs.js

dist/esm/core/keyPairs.jsView on unpkg · L1
dist/cjs/index.cjsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...5=w;
Critical
Secret Pattern

RSA private key in dist/cjs/index.cjs

dist/cjs/index.cjsView on unpkg · L1

Findings

3 Critical3 Low
CriticalCritical Secretdist/esm/core/keyPairs.js
CriticalSecret Patterndist/esm/core/keyPairs.js
CriticalSecret Patterndist/cjs/index.cjs
LowScripts Present
LowFilesystem
LowObfuscated