registry  /  @mass-money/sdk  /  7.0.3

@mass-money/sdk@7.0.3

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are SDK/test aligned: blockchain RPC fetches are caller-configured and Solana keypair/CLI operations are confined to test emulator helpers.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User-invoked SDK calls or test helper invocation, not package install.
Impact
Expected SDK blockchain interaction; no evidence of unconsented exfiltration or install-time mutation.
Mechanism
Caller-provided blockchain RPC and local Solana test emulator utilities
Rationale
The scanner-highlighted wallet/child_process behavior is in test Solana emulator code that creates local test keypairs, requests local airdrops, deploys local programs, and is not wired to npm install or import-time execution. Runtime network behavior is package-aligned blockchain RPC/fetch functionality using caller-supplied endpoints, with no credential harvesting or exfiltration sink found.
Evidence
package.jsonnode/index.jsweb/index.jsmobile/index.jsoutput/Fetch/foreign.jsoutput/Test.SolEmulator/foreign.jsoutput/Test.SolEmulator/index.js/tmp/deployer-keypair.json../massol/target/deploy/massol-keypair.json../massol/target/deploy/uploader-keypair.json
Network endpoints2
127.0.0.1:8899localhost:2845

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • output/Test.SolEmulator/foreign.js spawns solana-test-validator and solana CLI, writes a temp deployer keypair, and sends local Solana test transactions.
  • node/index.js and web/index.js are large webpack dev builds using eval wrappers.
Evidence against
  • package.json has no npm lifecycle hook names; post-install is a non-lifecycle script.
  • node/index.js exports SDK functions and imports ../output/Main without import-time credential/file harvesting or shell execution.
  • output/Fetch/foreign.js only fetches caller-provided URLs/RPCs for SDK blockchain operations.
  • output/Test.SolEmulator/foreign.js is imported by test modules and uses localhost/test-validator flows, not install/import execution.
  • Search found no broad credential harvesting, external exfiltration endpoint, AI-agent config mutation, or destructive persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 802 file(s), 7.19 MB of source, external domains: 127.0.0.1, aggregator-api.kyberswap.com, api.0x.org, api.brink.trade, api.coingecko.com, api.cow.fi, api.dln.trade, api.mass.money, api.odos.xyz, api.paraswap.io, api.portals.fi, api.staging.mass.money, app.mux.network, arbitrum-api.gmxinfra.io, arbitrum.api.0x.org, avalanche-api.gmxinfra.io, avalanche.api.0x.org, base.api.0x.org, bsc.api.0x.org, eips.ethereum.org, github.com, hermes.pyth.network, lite-api.jup.ag, open-api.openocean.finance, optimism.api.0x.org, polygon.api.0x.org, pro-api.coingecko.com, public-backend.socket.tech, pyth.network, quote-api.jup.ag
Oversized source lightweight scan
node/index.js8.91 MB file, sampled 256 KB
EvalMinifiedUrlStringseips.ethereum.orggithub.com
web/index.js9.53 MB file, sampled 256 KB
EvalMinifiedUrlStringseips.ethereum.orggithub.com

Source & flagged code

2 flagged · loading source
output/Test.SolEmulator/foreign.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import { Keypair, PublicKey, LAMPORTS_PER_SOL, Connection, Transaction, TransactionInstruction, SendTransactionError, ComputeBudgetProgram } from "@solana/web3.js"; L3: import { ... L15: const doSpawn = async () => { L16: const defaultValidator = 'http://127.0.0.1:8899'; L17: // check if validator is already running ... L40: L41: // Handle stdout L42: let resolvedUrl = null; ... L107: const deployDir = '../massol/target/deploy/'; L108: const targetMassolKey = JSON.parse(fs.readFileSync(path.join(deployDir, `./${program}-keypair.json`), 'utf8')); L109: const programKeypair = Keypair.fromSecretKey(Uint8Array.from(targetMassolKey));
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

output/Test.SolEmulator/foreign.jsView on unpkg · L1
web/index.jsView file
path = web/index.js kind = oversized_source_file sizeBytes = 9996448 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

web/index.jsView on unpkg

Findings

1 Critical1 High4 Medium5 Low
CriticalWallet Drainoutput/Test.SolEmulator/foreign.js
HighOversized Source Fileweb/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings