registry  /  @platform-modules/civil-aviation-authority  /  2.3.295

@platform-modules/civil-aviation-authority@2.3.295

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malware attack surface is established. The package is a TypeORM model/schema package with user-invoked database maintenance scripts and an accidentally packaged .env-like credential file.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing dist/index.js or explicitly running npm scripts such as sync:sla-sql/fix:enum/dev.
Impact
Potential accidental credential exposure and database modification if a user runs maintenance scripts with provided DB config; no automatic malicious execution observed.
Mechanism
TypeORM model exports and explicit PostgreSQL schema/SQL maintenance scripts.
Rationale
Static inspection found risky packaged DB credentials and user-run PostgreSQL maintenance scripts, but no install-time/import-time exfiltration, remote payload execution, persistence, or unauthorized mutation. The scanner secret finding is valid as a hygiene/data exposure issue, not evidence that this npm package is malicious.
Evidence
package.json.envdist/index.jssrc/data-source.tsdist/data-source.jsscripts/run-enum-fix.jsscripts/sync-sla-reports-sql.jssql/fix_maintenance_subject_classification_enum_2026_07.sqlsql/sla-reports-sync.manifest.json
Network endpoints1
164.52.222.169:5432

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • .env packages PostgreSQL connection settings including DB_HOST and DB_PASS.
  • scripts/run-enum-fix.js and scripts/sync-sla-reports-sql.js connect to PostgreSQL when explicitly run.
  • src/data-source.ts sets TypeORM synchronize:true, risky if user-invoked against production DB.
Evidence against
  • package.json has no preinstall/install/postinstall hooks or bin entrypoints.
  • dist/index.js only re-exports TypeORM model modules; no fetch/HTTP, child_process, eval, or filesystem mutation found.
  • Database scripts read bundled SQL files and require explicit npm script/user execution.
  • No credential harvesting, exfiltration endpoint, persistence, destructive install-time behavior, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 641 file(s), 2.31 MB of source

Source & flagged code

1 flagged · loading source
4patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L4: DB_PASS=<redacted:40 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L4

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License