registry  /  @reachu/database  /  1.0.236

@reachu/database@1.0.236

reachu-database

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The published package includes a test environment file containing apparent cloud and email-service credentials. No automatic execution or package-originated network exfiltration was found.

Static reason
One or more suspicious static signals were detected.
Trigger
Obtaining or inspecting the package contents exposes the bundled credentials.
Impact
Potential unauthorized use of the configured Firebase or Mailjet accounts if the credentials remain valid.
Mechanism
Bundled credential-bearing `.env.test` configuration file.
Rationale
No malicious execution chain, install hook, or runtime exfiltration behavior was found. However, publishing apparent service credentials is a concrete security issue that warrants a warning until the credentials are confirmed revoked and removed.
Evidence
.env.testtest/setup.tspackage.jsondist/index.jssrc/config/connect.tssrc/migrations/execute/index.tssrc/index.tssrc/utils/index.ts
Network endpoints2
oauth2.googleapis.com/tokenoutshifter-uploads-local.s3-website.eu-central-1.amazonaws.com

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • `.env.test` is bundled and contains a PEM-formatted Firebase private key.
  • `.env.test` contains 32-character `MAILJET_API_KEY` and `MAILJET_SECRET_KEY` values.
  • `.env.test` configures Firebase OAuth/token endpoints and an S3 endpoint.
  • `test/setup.ts` loads `.env.test` for tests.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or prepublish lifecycle hook.
  • `dist/index.js` only re-exports package modules; it does not execute setup logic.
  • Authored source has no child-process, eval/vm, filesystem-harvesting, or runtime HTTP-client calls.
  • `src/migrations/execute/index.ts` is only invoked by an explicit migration script.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 670 file(s), 1.57 MB of source

Source & flagged code

2 flagged · loading source
.env.testView file
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L21
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Secret Pattern

RSA private key in .env.test

.env.testView on unpkg · L21

Findings

2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings