registry  /  @platform-modules/civil-aviation-authority  /  2.3.293

@platform-modules/civil-aviation-authority@2.3.293

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is primarily TypeORM entity/model exports plus explicit database schema/sync utilities; the shipped .env is a sensitive packaging issue, not evidence of malware behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit import of data-source or manual npm run sync:sla-sql/dev command
Impact
Potential accidental exposure/use of packaged DB credentials, but no installer compromise or exfiltration path identified
Mechanism
TypeORM PostgreSQL model/schema utility using environment DB config
Rationale
Static inspection found a shipped .env and DB utilities, but no lifecycle execution, stealth persistence, credential harvesting from the host, exfiltration endpoint, shell execution, or agent-control mutation. The suspicious findings are consistent with an accidentally packaged internal model/database utility rather than malicious npm behavior.
Evidence
package.jsondist/index.jssrc/data-source.tsdist/data-source.jssrc/scripts.tsscripts/sync-sla-reports-sql.js.envsql/*.sql

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • .env is shipped and contains DB_* configuration keys with credential-like values redacted during inspection.
  • scripts/sync-sla-reports-sql.js reads .env files and connects to PostgreSQL when explicitly run.
  • src/data-source.ts imports dotenv/config and defines a TypeORM DataSource with env/default DB settings.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/index.js is a barrel export of TypeORM model modules, with no network, shell, or filesystem behavior on import found.
  • No HTTP URLs or exfiltration endpoints found by source search.
  • No child_process, eval, vm, native binary loading, or AI-agent control-surface writes found.
  • DB access is package-aligned and triggered by explicit scripts/imported DataSource usage, not install-time execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 640 file(s), 2.31 MB of source

Source & flagged code

1 flagged · loading source
4patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L4: DB_PASS=<redacted:40 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L4

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License