registry  /  @reachu/database  /  1.0.233

@reachu/database@1.0.233

reachu-database

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a TypeORM database model/migration library; suspicious environment-variable and secret patterns are package-aligned or test configuration artifacts.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package loads exports; running migration scripts explicitly connects to the configured database.
Impact
Database schema/model operations when user-invoked; no unauthorized host compromise or exfiltration observed.
Mechanism
TypeORM entities, migrations, subscribers, and connection helpers
Rationale
Static inspection found a normal database package with no lifecycle execution, shell execution, persistence, destructive behavior, or exfiltration path. The bundled .env.test secrets are a packaging hygiene issue, not evidence of malware behavior in this package.
Evidence
package.jsonsrc/index.tsdist/index.jssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.json

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • .env.test bundles Firebase and Mailjet credential-looking test values, but no code path exfiltrates them.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • dist/index.js and src/index.ts only re-export migrations, entities, helpers, repositories, utils, and subscribers.
  • src/utils/index.ts reads DB_* environment variables solely to build TypeORM connection config.
  • src/config/connect.ts creates a TypeORM connection and may run migrations when explicitly invoked.
  • No child_process, eval/Function, filesystem writes, credential harvesting, or non-package-aligned network client code found in src/dist search.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 668 file(s), 1.57 MB of source

Source & flagged code

2 flagged · loading source
.env.testView file
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L21
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Secret Pattern

RSA private key in .env.test

.env.testView on unpkg · L21

Findings

2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings