AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a TypeORM database/entity/migration library, but it ships apparent test secrets in .env.test.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit test or migration script use, not install-time execution
Impact
Potential credential exposure from packaged test env file; no code path exfiltrates it.
Mechanism
TypeORM schema/entity exports and user-invoked migration runner
Rationale
Static inspection did not find malware behavior, install-time execution, credential harvesting, or exfiltration. The included .env.test contains apparent private key/API credential material, so this is a packaging secret-exposure risk rather than a publish-block malware case.
Evidence
package.jsonsrc/index.tsdist/index.jssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.json
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- .env.test includes test Firebase private key material and Mailjet API credentials.
- src/migrations/execute/index.ts loads dotenv and runs DB migrations when that script is explicitly invoked.
Evidence against
- package.json has no preinstall/postinstall/install lifecycle hooks.
- dist/index.js and src/index.ts only re-export migrations, entities, static data, utils, repositories, helpers, and subscribers.
- src/utils/index.ts reads DB_* environment variables only to build TypeORM connection config.
- No child_process, eval/Function abuse, fs writes, persistence, or exfiltration logic found in inspected source.
- Network URLs in README/.env.test are documentation/config values, not contacted by import-time code.
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading source.env.testView file
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
Findings
2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings