registry  /  @platform-modules/civil-aviation-authority  /  2.3.290

@platform-modules/civil-aviation-authority@2.3.290

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a TypeORM model/schema package with user-invoked database sync utilities and an accidentally packaged .env containing database credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user command such as npm run dev or npm run sync:sla-sql; normal package install has no lifecycle trigger.
Impact
Potential credential exposure from packaged .env, but no source path exfiltrates or abuses it automatically.
Mechanism
TypeORM model exports and optional PostgreSQL schema synchronization
Rationale
Static inspection found a leaked database configuration file and explicit database sync utilities, but no install-time/import-time execution or malicious exfiltration behavior. The suspicious scanner findings are package-aligned environment/database usage plus exposed secrets rather than malware.
Evidence
package.jsondist/index.jssrc/index.tssrc/data-source.tssrc/scripts.tsdist/scripts.jsscripts/sync-sla-reports-sql.js.envsql/*.sql
Network endpoints1
164.52.222.169:5432

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • .env contains database host and credentials, including DB_HOST=164.52.222.169 and DB_PASS values.
  • scripts/sync-sla-reports-sql.js can connect to PostgreSQL and apply SQL files, but only when explicitly run.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entry.
  • dist/index.js and src/index.ts are model export barrels with static require/export statements.
  • src/data-source.ts creates a TypeORM DataSource from env/defaults but does not initialize it on import.
  • src/scripts.ts/dist/scripts.js initialize the database only as explicit dev script entrypoints.
  • No child_process, eval, fetch/HTTP client, credential harvesting, or exfiltration endpoints found.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 636 file(s), 2.28 MB of source

Source & flagged code

1 flagged · loading source
4patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L4: DB_PASS=<redacted:40 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L4

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License