AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a TypeORM model/schema package with user-invoked database sync utilities and an accidentally packaged .env containing database credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user command such as npm run dev or npm run sync:sla-sql; normal package install has no lifecycle trigger.
Impact
Potential credential exposure from packaged .env, but no source path exfiltrates or abuses it automatically.
Mechanism
TypeORM model exports and optional PostgreSQL schema synchronization
Rationale
Static inspection found a leaked database configuration file and explicit database sync utilities, but no install-time/import-time execution or malicious exfiltration behavior. The suspicious scanner findings are package-aligned environment/database usage plus exposed secrets rather than malware.
Evidence
package.jsondist/index.jssrc/index.tssrc/data-source.tssrc/scripts.tsdist/scripts.jsscripts/sync-sla-reports-sql.js.envsql/*.sql
Network endpoints1
164.52.222.169:5432
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- .env contains database host and credentials, including DB_HOST=164.52.222.169 and DB_PASS values.
- scripts/sync-sla-reports-sql.js can connect to PostgreSQL and apply SQL files, but only when explicitly run.
Evidence against
- package.json has no preinstall/install/postinstall hooks and no bin entry.
- dist/index.js and src/index.ts are model export barrels with static require/export statements.
- src/data-source.ts creates a TypeORM DataSource from env/defaults but does not initialize it on import.
- src/scripts.ts/dist/scripts.js initialize the database only as explicit dev script entrypoints.
- No child_process, eval, fetch/HTTP client, credential harvesting, or exfiltration endpoints found.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
4patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L4: DB_PASS=<redacted:40 token-like>
Critical
Findings
1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License