AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a TypeORM database model/migration library; suspicious environment-variable and secret patterns are package-aligned or test configuration artifacts.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package loads exports; running migration scripts explicitly connects to the configured database.
Impact
Database schema/model operations when user-invoked; no unauthorized host compromise or exfiltration observed.
Mechanism
TypeORM entities, migrations, subscribers, and connection helpers
Rationale
Static inspection found a normal database package with no lifecycle execution, shell execution, persistence, destructive behavior, or exfiltration path. The bundled .env.test secrets are a packaging hygiene issue, not evidence of malware behavior in this package.
Evidence
package.jsonsrc/index.tsdist/index.jssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.json
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- .env.test bundles Firebase and Mailjet credential-looking test values, but no code path exfiltrates them.
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- dist/index.js and src/index.ts only re-export migrations, entities, helpers, repositories, utils, and subscribers.
- src/utils/index.ts reads DB_* environment variables solely to build TypeORM connection config.
- src/config/connect.ts creates a TypeORM connection and may run migrations when explicitly invoked.
- No child_process, eval/Function, filesystem writes, credential harvesting, or non-package-aligned network client code found in src/dist search.
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading source.env.testView file
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
Findings
2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings