registry  /  @mass-money/sdk  /  8.0.1

@mass-money/sdk@8.0.1

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are user-invoked SDK/test functionality for blockchain compilation, RPC/fetch calls, and local Solana emulator setup.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit SDK API or test helper invocation
Impact
Can submit user-requested requests/transactions or run local Solana tooling when called; no evidence of covert execution or data theft.
Mechanism
Package-aligned blockchain SDK network calls and local emulator process spawning
Rationale
Static inspection shows a blockchain SDK with expected RPC/API integrations and test-emulator helpers; scanner wallet-drain and shell findings map to user-invoked test code, not install/import-time theft or covert behavior. The manifest lacks recognized npm lifecycle hooks and no credential harvesting, exfiltration, persistence, or unauthorized control-surface mutation was found.
Evidence
package.jsonmobile/index.jsnode/index.jsoutput/Fetch/foreign.jsoutput/Staging/foreign.jsoutput/Test.SolEmulator/foreign.js../massol/target/deploy/*-keypair.json/tmp/deployer-keypair.json
Network endpoints4
api.mass.moneyapi.staging.mass.money127.0.0.1:8899localhost:2845

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • output/Test.SolEmulator/foreign.js can spawn solana-test-validator and write /tmp/deployer-keypair.json when test helper is invoked
  • output/Fetch/foreign.js provides generic fetch/RPC wrappers used by SDK functions
  • node/index.js is a large webpack dev bundle using eval devtool wrappers
Evidence against
  • package.json has no npm lifecycle hook; post-install is not recognized as postinstall
  • mobile/index.js exports SDK API wrappers and does not run network, shell, or filesystem actions at import
  • output/Test.SolEmulator/foreign.js is a test emulator helper using generated/local Solana keypairs, not credential harvesting
  • output/Staging/foreign.js endpoints are first-party api.mass.money/api.staging.mass.money
  • No install-time execution, exfiltration, persistence, or AI-agent config mutation found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 802 file(s), 7.19 MB of source, external domains: 127.0.0.1, aggregator-api.kyberswap.com, api.0x.org, api.brink.trade, api.coingecko.com, api.cow.fi, api.dln.trade, api.mass.money, api.odos.xyz, api.paraswap.io, api.portals.fi, api.staging.mass.money, app.mux.network, arbitrum-api.gmxinfra.io, arbitrum.api.0x.org, avalanche-api.gmxinfra.io, avalanche.api.0x.org, base.api.0x.org, bsc.api.0x.org, eips.ethereum.org, github.com, hermes.pyth.network, lite-api.jup.ag, open-api.openocean.finance, optimism.api.0x.org, polygon.api.0x.org, pro-api.coingecko.com, public-backend.socket.tech, pyth.network, quote-api.jup.ag
Oversized source lightweight scan
node/index.js8.91 MB file, sampled 256 KB
EvalMinifiedUrlStringseips.ethereum.orggithub.com
web/index.js9.53 MB file, sampled 256 KB
EvalMinifiedUrlStringseips.ethereum.orggithub.com

Source & flagged code

2 flagged · loading source
output/Test.SolEmulator/foreign.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import { Keypair, PublicKey, LAMPORTS_PER_SOL, Connection, Transaction, TransactionInstruction, SendTransactionError, ComputeBudgetProgram } from "@solana/web3.js"; L3: import { ... L15: const doSpawn = async () => { L16: const defaultValidator = 'http://127.0.0.1:8899'; L17: // check if validator is already running ... L40: L41: // Handle stdout L42: let resolvedUrl = null; ... L107: const deployDir = '../massol/target/deploy/'; L108: const targetMassolKey = JSON.parse(fs.readFileSync(path.join(deployDir, `./${program}-keypair.json`), 'utf8')); L109: const programKeypair = Keypair.fromSecretKey(Uint8Array.from(targetMassolKey));
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

output/Test.SolEmulator/foreign.jsView on unpkg · L1
web/index.jsView file
path = web/index.js kind = oversized_source_file sizeBytes = 9996448 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

web/index.jsView on unpkg

Findings

1 Critical1 High4 Medium5 Low
CriticalWallet Drainoutput/Test.SolEmulator/foreign.js
HighOversized Source Fileweb/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings