registry  /  @reachu/database  /  1.0.230

@reachu/database@1.0.230

reachu-database

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The main risk is accidental publication of real-looking test credentials in .env.test, not package code that steals or abuses credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
Tests or explicit migration execution that load dotenv files
Impact
Potential credential leakage if the included keys are valid
Mechanism
embedded secret exposure in package artifact
Rationale
Static inspection shows a normal TypeORM database package with no install-time execution or exfiltration behavior, but the published .env.test includes private key and API secret material. This is a security exposure warranting warning, not evidence of malicious package behavior.
Evidence
package.jsonsrc/index.tssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.tstest/setup.ts.env.test.vscode/launch.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • .env.test contains embedded Firebase private key material and Mailjet API/secret keys.
  • test/setup.ts loads .env.test for tests; src/migrations/execute/index.ts loads dotenv then runs DB migrations.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • src/index.ts only re-exports migrations, entities, static data, utils, repositories, helpers, and subscribers.
  • src/utils/index.ts reads DB_* env vars to build TypeORM config; no credential harvesting or exfiltration found.
  • src/config/connect.ts runs TypeORM migrations from configured local paths; no remote payload fetch or shell execution.
  • No child_process, eval, Function, filesystem writes, persistence, or AI-agent control-surface writes found in source inspection.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 668 file(s), 1.57 MB of source

Source & flagged code

2 flagged · loading source
.env.testView file
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L21
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Secret Pattern

RSA private key in .env.test

.env.testView on unpkg · L21

Findings

2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings