registry  /  @platform-modules/civil-aviation-authority  /  2.3.279

@platform-modules/civil-aviation-authority@2.3.279

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The notable risk is a bundled .env with DB credentials and a user-invoked SQL sync script.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing dist/index.js loads model exports; running npm run sync:sla-sql connects to configured PostgreSQL.
Impact
Potential accidental credential exposure from packaged .env; no evidence of unconsented execution, credential harvesting, or exfiltration.
Mechanism
static model exports and user-invoked PostgreSQL SQL sync
Rationale
Static inspection found a leaked-looking .env and database utility, but no install/import-time malicious execution or exfiltration path. The secret finding is a packaging security exposure, not proof that the package behaves as malware.
Evidence
package.jsondist/index.jsdist/data-source.jsscripts/sync-sla-reports-sql.js.envsrc/data-source.tssql/*.sql

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare hooks or bin entrypoint.
    • dist/index.js is a CommonJS export barrel for TypeORM models/enums, with static local requires only.
    • scripts/sync-sla-reports-sql.js is only invoked by npm script and applies packaged SQL to configured PostgreSQL DB.
    • No child_process, eval/vm/Function, HTTP clients, fetch, or external URL literals found in source search.
    • Environment access is limited to DB configuration and SKIP_SLA_SQL_SYNC.
    • .env contains DB_* values, but source does not harvest or exfiltrate them.
    Behavioral surface
    Source
    EnvironmentVarsFilesystem
    Supply chain
    HighEntropyStrings
    Manifest
    NoLicense
    scanned 634 file(s), 2.17 MB of source

    Source & flagged code

    1 flagged · loading source
    4patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L4: DB_PASS=<redacted:40 token-like>
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg · L4

    Findings

    1 Critical1 Medium4 Low
    CriticalCritical Secret.env
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowNo License