AI Security Review
scanned 3h ago · by lpm-firewall-aiThe published package includes a test environment file containing apparent cloud and email-service credentials. No automatic execution or package-originated network exfiltration was found.
Static reason
One or more suspicious static signals were detected.
Trigger
Obtaining or inspecting the package contents exposes the bundled credentials.
Impact
Potential unauthorized use of the configured Firebase or Mailjet accounts if the credentials remain valid.
Mechanism
Bundled credential-bearing `.env.test` configuration file.
Rationale
No malicious execution chain, install hook, or runtime exfiltration behavior was found. However, publishing apparent service credentials is a concrete security issue that warrants a warning until the credentials are confirmed revoked and removed.
Evidence
.env.testtest/setup.tspackage.jsondist/index.jssrc/config/connect.tssrc/migrations/execute/index.tssrc/index.tssrc/utils/index.ts
Network endpoints2
oauth2.googleapis.com/tokenoutshifter-uploads-local.s3-website.eu-central-1.amazonaws.com
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- `.env.test` is bundled and contains a PEM-formatted Firebase private key.
- `.env.test` contains 32-character `MAILJET_API_KEY` and `MAILJET_SECRET_KEY` values.
- `.env.test` configures Firebase OAuth/token endpoints and an S3 endpoint.
- `test/setup.ts` loads `.env.test` for tests.
Evidence against
- `package.json` has no preinstall, install, postinstall, prepare, or prepublish lifecycle hook.
- `dist/index.js` only re-exports package modules; it does not execute setup logic.
- Authored source has no child-process, eval/vm, filesystem-harvesting, or runtime HTTP-client calls.
- `src/migrations/execute/index.ts` is only invoked by an explicit migration script.
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading source.env.testView file
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
Findings
2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings