AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are user-invoked SDK/test functionality for blockchain compilation, RPC/fetch calls, and local Solana emulator setup.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit SDK API or test helper invocation
Impact
Can submit user-requested requests/transactions or run local Solana tooling when called; no evidence of covert execution or data theft.
Mechanism
Package-aligned blockchain SDK network calls and local emulator process spawning
Rationale
Static inspection shows a blockchain SDK with expected RPC/API integrations and test-emulator helpers; scanner wallet-drain and shell findings map to user-invoked test code, not install/import-time theft or covert behavior. The manifest lacks recognized npm lifecycle hooks and no credential harvesting, exfiltration, persistence, or unauthorized control-surface mutation was found.
Evidence
package.jsonmobile/index.jsnode/index.jsoutput/Fetch/foreign.jsoutput/Staging/foreign.jsoutput/Test.SolEmulator/foreign.js../massol/target/deploy/*-keypair.json/tmp/deployer-keypair.json
Network endpoints4
api.mass.moneyapi.staging.mass.money127.0.0.1:8899localhost:2845
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- output/Test.SolEmulator/foreign.js can spawn solana-test-validator and write /tmp/deployer-keypair.json when test helper is invoked
- output/Fetch/foreign.js provides generic fetch/RPC wrappers used by SDK functions
- node/index.js is a large webpack dev bundle using eval devtool wrappers
Evidence against
- package.json has no npm lifecycle hook; post-install is not recognized as postinstall
- mobile/index.js exports SDK API wrappers and does not run network, shell, or filesystem actions at import
- output/Test.SolEmulator/foreign.js is a test emulator helper using generated/local Solana keypairs, not credential harvesting
- output/Staging/foreign.js endpoints are first-party api.mass.money/api.staging.mass.money
- No install-time execution, exfiltration, persistence, or AI-agent config mutation found
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsMinifiedProtestwareUrlStrings
Oversized source lightweight scan
node/index.js8.91 MB file, sampled 256 KB
EvalMinifiedUrlStringseips.ethereum.orggithub.com
web/index.js9.53 MB file, sampled 256 KB
EvalMinifiedUrlStringseips.ethereum.orggithub.com
Source & flagged code
2 flagged · loading sourceoutput/Test.SolEmulator/foreign.jsView file
1import { spawn, spawnSync } from 'child_process';
L2: import { Keypair, PublicKey, LAMPORTS_PER_SOL, Connection, Transaction, TransactionInstruction, SendTransactionError, ComputeBudgetProgram } from "@solana/web3.js";
L3: import {
...
L15: const doSpawn = async () => {
L16: const defaultValidator = 'http://127.0.0.1:8899';
L17: // check if validator is already running
...
L40:
L41: // Handle stdout
L42: let resolvedUrl = null;
...
L107: const deployDir = '../massol/target/deploy/';
L108: const targetMassolKey = JSON.parse(fs.readFileSync(path.join(deployDir, `./${program}-keypair.json`), 'utf8'));
L109: const programKeypair = Keypair.fromSecretKey(Uint8Array.from(targetMassolKey));
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
output/Test.SolEmulator/foreign.jsView on unpkg · L1web/index.jsView file
•path = web/index.js
kind = oversized_source_file
sizeBytes = 9996448
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
web/index.jsView on unpkgFindings
1 Critical1 High4 Medium5 Low
CriticalWallet Drainoutput/Test.SolEmulator/foreign.js
HighOversized Source Fileweb/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings