AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The main risk is accidental publication of real-looking test credentials in .env.test, not package code that steals or abuses credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
Tests or explicit migration execution that load dotenv files
Impact
Potential credential leakage if the included keys are valid
Mechanism
embedded secret exposure in package artifact
Rationale
Static inspection shows a normal TypeORM database package with no install-time execution or exfiltration behavior, but the published .env.test includes private key and API secret material. This is a security exposure warranting warning, not evidence of malicious package behavior.
Evidence
package.jsonsrc/index.tssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.tstest/setup.ts.env.test.vscode/launch.json
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- .env.test contains embedded Firebase private key material and Mailjet API/secret keys.
- test/setup.ts loads .env.test for tests; src/migrations/execute/index.ts loads dotenv then runs DB migrations.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- src/index.ts only re-exports migrations, entities, static data, utils, repositories, helpers, and subscribers.
- src/utils/index.ts reads DB_* env vars to build TypeORM config; no credential harvesting or exfiltration found.
- src/config/connect.ts runs TypeORM migrations from configured local paths; no remote payload fetch or shell execution.
- No child_process, eval, Function, filesystem writes, persistence, or AI-agent control-surface writes found in source inspection.
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading source.env.testView file
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
Findings
2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings