registry  /  @reachu/database  /  1.0.231

@reachu/database@1.0.231

reachu-database

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious execution or exfiltration path was found. The main concern is accidental credential exposure in a packaged .env.test file and user-invoked DB migration capability.

Static reason
One or more suspicious static signals were detected.
Trigger
importing package exports, or explicitly running migration:execute/test scripts
Impact
Potential credential leakage from the published package; no confirmed attacker-controlled runtime behavior.
Mechanism
TypeORM database library with bundled test secrets
Rationale
Static inspection shows a normal internal database/entity package with no lifecycle execution or exfiltration, but it ships real-looking private credentials in .env.test. This is a security exposure worth warning on, not evidence of malicious package behavior.
Evidence
package.jsondist/index.jssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • .env.test contains Firebase private key material and Mailjet API/secret key values bundled in the package.
  • src/migrations/execute/index.ts loads dotenv and invokes database migration connection when the user runs the migration script.
  • src/config/connect.ts can run TypeORM migrations against env-selected DB settings.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks or bin entry.
  • dist/index.js only re-exports migrations, entities, static data, utils, repositories, helpers, and subscribers.
  • src/utils/index.ts reads DB_* env vars for TypeORM configuration but does not harvest or transmit environment data.
  • No child_process, eval, Function, persistence, destructive import-time behavior, or package-aligned exfiltration endpoint found in inspected source.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 668 file(s), 1.57 MB of source

Source & flagged code

2 flagged · loading source
.env.testView file
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L21
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Secret Pattern

RSA private key in .env.test

.env.testView on unpkg · L21

Findings

2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings