AI Security Review
scanned 6h ago · by lpm-firewall-aiExplicit user-started honeypot listeners capture inbound attacker interactions. Optional telemetry POSTs occur only after a caller supplies `threatCloudEndpoint`; no hard-coded upload host is present. No confirmed malicious or install-time attack surface exists.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `panguard-trap start` or calls `TrapEngine.start()` with enabled services.
Impact
Designed collection of attacker-supplied credentials and commands; source shows no stealthy execution, credential harvesting from the host, or foreign control-surface mutation.
Mechanism
Honeypot network listeners with optional anonymized threat-intelligence upload.
Rationale
Static source inspection supports a package-aligned honeypot implementation, not malicious package behavior. Scanner findings map to explicit listener functionality and dependency-scoped dynamic import, while optional telemetry has privacy and SSRF controls.
Evidence
package.jsondist/cli/index.jsdist/trap-engine.jsdist/threat-cloud-uploader.jsdist/pid-file.jsdist/services/ssh-trap.jsdist/types.jsdist/services/base-service.js
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook.
- dist/cli/index.js starts listeners only on explicit `start`; stop targets its own data-dir PID file.
- dist/services/ssh-trap.js dynamically imports only declared dependency `ssh2` and Node built-ins.
- dist/threat-cloud-uploader.js requires a supplied HTTPS endpoint, rejects private/reserved hosts and redirects.
- dist/threat-cloud-uploader.js uploads anonymized IPs and hashed usernames, not captured passwords.
- No child-process, eval/vm, native loading, or broad filesystem harvesting found in packaged JS.
Behavioral surface
CryptoDynamicRequireFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/services/generic-trap.jsView file
76patternName = generic_password
severity = medium
line = 76
matchedText = pwd: '...
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/services/generic-trap.jsView on unpkg · L76dist/services/ssh-trap.jsView file
101logger.info('SSH honeypot using TCP fallback (ssh2 not available)');
L102: const net = await import('node:net');
L103: this.server = net.createServer((socket) => {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/services/ssh-trap.jsView on unpkg · L10172patternName = generic_password
severity = medium
line = 72
matchedText = pwd: '...
Medium
Secret Pattern
Hardcoded password in dist/services/ssh-trap.js
dist/services/ssh-trap.jsView on unpkg · L72Findings
4 Medium4 Low
MediumSecret Patterndist/services/generic-trap.js
MediumDynamic Requiredist/services/ssh-trap.js
MediumNetwork
MediumSecret Patterndist/services/ssh-trap.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings