AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious execution or exfiltration path was found. The main concern is accidental credential exposure in a packaged .env.test file and user-invoked DB migration capability.
Static reason
One or more suspicious static signals were detected.
Trigger
importing package exports, or explicitly running migration:execute/test scripts
Impact
Potential credential leakage from the published package; no confirmed attacker-controlled runtime behavior.
Mechanism
TypeORM database library with bundled test secrets
Rationale
Static inspection shows a normal internal database/entity package with no lifecycle execution or exfiltration, but it ships real-looking private credentials in .env.test. This is a security exposure worth warning on, not evidence of malicious package behavior.
Evidence
package.jsondist/index.jssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.json
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- .env.test contains Firebase private key material and Mailjet API/secret key values bundled in the package.
- src/migrations/execute/index.ts loads dotenv and invokes database migration connection when the user runs the migration script.
- src/config/connect.ts can run TypeORM migrations against env-selected DB settings.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks or bin entry.
- dist/index.js only re-exports migrations, entities, static data, utils, repositories, helpers, and subscribers.
- src/utils/index.ts reads DB_* env vars for TypeORM configuration but does not harvest or transmit environment data.
- No child_process, eval, Function, persistence, destructive import-time behavior, or package-aligned exfiltration endpoint found in inspected source.
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading source.env.testView file
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
Findings
2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings