registry  /  @reachu/database  /  1.0.232

@reachu/database@1.0.232

reachu-database

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a TypeORM database/entity/migration library, but it ships apparent test secrets in .env.test.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit test or migration script use, not install-time execution
Impact
Potential credential exposure from packaged test env file; no code path exfiltrates it.
Mechanism
TypeORM schema/entity exports and user-invoked migration runner
Rationale
Static inspection did not find malware behavior, install-time execution, credential harvesting, or exfiltration. The included .env.test contains apparent private key/API credential material, so this is a packaging secret-exposure risk rather than a publish-block malware case.
Evidence
package.jsonsrc/index.tsdist/index.jssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.json

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • .env.test includes test Firebase private key material and Mailjet API credentials.
  • src/migrations/execute/index.ts loads dotenv and runs DB migrations when that script is explicitly invoked.
Evidence against
  • package.json has no preinstall/postinstall/install lifecycle hooks.
  • dist/index.js and src/index.ts only re-export migrations, entities, static data, utils, repositories, helpers, and subscribers.
  • src/utils/index.ts reads DB_* environment variables only to build TypeORM connection config.
  • No child_process, eval/Function abuse, fs writes, persistence, or exfiltration logic found in inspected source.
  • Network URLs in README/.env.test are documentation/config values, not contacted by import-time code.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 668 file(s), 1.57 MB of source

Source & flagged code

2 flagged · loading source
.env.testView file
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L21
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Secret Pattern

RSA private key in .env.test

.env.testView on unpkg · L21

Findings

2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings