AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a backend Fastify plugin with runtime database migrations, auth, upload, proxy, logging, and metrics features.
Static reason
One or more suspicious static signals were detected.
Trigger
Application imports/registers the Fastify plugin or runs explicit dump/migrate scripts.
Impact
Expected backend framework behavior; no unconsented install-time execution, credential harvesting, or exfiltration identified.
Mechanism
config-driven server routes, local config/env loading, database/file/log operations
Rationale
Static inspection found suspicious primitives, but they are tied to normal server features such as metrics, uploads, migrations, OAuth, and configurable proxying, with no lifecycle-triggered persistence or exfiltration. The prepublishOnly script is publisher-side and there is no install-time attack path.
Evidence
package.jsondist/index.jsdist/config.jsdist/functions.jsdist/server/plugins/metric/loggerSystem.jsdist/server/plugins/upload/startUpload.jsdist/server/routes/auth/controllers/euSign/authByData.jsconfig.json/data/local/config.json.env.local.env.${NODE_ENV}.env.${NODE_ENV}.localdist/log/migration/*.sqldist/log/migration/*.jsonlog/dump/*.sql
Network endpoints4
id.softpro.uansdi.gov.uacdn.tailwindcss.comcdn.softpro.ua
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/server/plugins/metric/loggerSystem.js runs fixed command `top -b -n 1` for runtime metrics.
- dist/server/helpers/format/formatNum.js contains eval-based numeric formatting helper.
- dist/config.js imports dotenv and reads config/env files at runtime.
Evidence against
- package.json has no install/postinstall/prepare hook; only prepublishOnly build script.
- dist/index.js is a Fastify plugin registering CRUD/auth/upload/proxy routes; no import-time exfiltration or persistence found.
- dist/index.js proxy/fetch behavior is config-driven runtime server functionality.
- dist/server/plugins/upload/*.js writes upload metadata/chunks under configured upload directories, package-aligned.
- No AI-agent control-surface writes, shell startup/VCS hook mutation, or remote payload loading found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/server/plugins/auth/funcs/verifyPassword.jsView file
27patternName = generic_password
severity = medium
line = 27
matchedText = await pg...d]);
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/server/plugins/auth/funcs/verifyPassword.jsView on unpkg · L27dist/server/plugins/policy/xssInjection.jsView file
23'\\x',
L24: 'eval(',
L25: 'onmouseover=',
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/server/plugins/policy/xssInjection.jsView on unpkg · L23dist/functions.jsView file
183return;
L184: const { uid } = config?.auth?.disable || process.env.NODE_ENV !== "admin"
L185: ? { uid: "1" }
...
L233: format: row.format,
L234: data: row.data,
L235: }));
...
L401: ...acc1,
L402: ...JSON.parse(readFileSync(`locales/${curr.name}/${file.name}`, "utf-8").replace(/[\u200B-\u200D\uFEFF]/g, "")),
L403: }), {});
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/functions.jsView on unpkg · L183Findings
3 Medium7 Low
MediumSecret Patterndist/server/plugins/auth/funcs/verifyPassword.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server/plugins/policy/xssInjection.js
LowWeak Cryptodist/functions.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings