registry  /  @smartledger/bsv  /  6.2.1

@smartledger/bsv@6.2.1

🚀 Complete Bitcoin SV development framework with legally-recognizable DID:web + W3C VC-JWT toolkit, Legal Token Protocol (LTP), Global Digital Attestation Framework (GDAF), StatusList2021 revocation, and 16 flexible loading options. Standards-based crede

AI Security Review

scanned 18h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Installation does not run package code, and import-time code does not harvest credentials, execute shells, or contact a network endpoint.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI commands or explicit use of development storage APIs.
Impact
Creates caller-requested local files only; no exfiltration, stealth persistence, or foreign control-surface mutation found.
Mechanism
User-invoked local DID/key generation and development-state persistence.
Rationale
The malicious scanner signals are not corroborated by source: the lifecycle hook is publish-only, the binary blob is a test fixture, and minified eval matches bundled dependency/math/polyfill code rather than a hidden payload loader. Source inspection found only explicit user-command local writes and no concrete malicious chain.
Evidence
package.jsonindex.jsbin/cli.jsbuild/esbuild.jslib/smartutxo.jslib/smart_contract/covenant.jstest/block/block.jstest/data/blk86756-testnet.dat

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with high false-positive risk.
Evidence for block
    Evidence against
    • package.json contains only prepublishOnly; no install, preinstall, postinstall, or prepare hook.
    • index.js imports library modules and exposes SmartUTXO lazily; no import-time network or shell execution found.
    • bin/cli.js writes DID/key files only for explicit CLI subcommands and paths under the caller's cwd.
    • lib/smartutxo.js and lib/smart_contract/covenant.js implement documented local development state storage.
    • No runtime child_process or direct HTTP/HTTPS/network-client use was found in source modules.
    • test/data/blk86756-testnet.dat is referenced only by block parsing tests; its bytes match a blockchain fixture.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindings
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 165 file(s), 9.18 MB of source, external domains: bsv.io, docs.moneybutton.com, github.com, smartledger.technology, w3id.org, www.w3.org

    Source & flagged code

    6 flagged · loading source
    bsv-statuslist.min.jsView file
    10`)+" "+e.join(`, L11: `)+" "+r[1]:r[0]+t+" "+e.join(", ")+" "+r[1]}Ue.types=ny();function uy(e){return Array.isArray(e)}Ue.isArray=uy;function Zl(e){return typeof e=="boolean"}Ue.isBoolean=Zl;function $... L12: this._initNamed(entity);
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    bsv-statuslist.min.jsView on unpkg · L10
    lib/crypto/hash.node.jsView file
    11* See: L12: * https://en.wikipedia.org/wiki/SHA-1 L13: *
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    lib/crypto/hash.node.jsView on unpkg · L11
    bsv-smartcontract.min.jsView file
    1var bsvSmartContract=(()=>{var xh=Object.create;var kn=Object.defineProperty;var yh=Object.getOwnPropertyDescriptor;var wh=Object.getOwnPropertyNames;var bh=Object.getPrototypeOf,S... L2: `)};ct.prototype._generateLeftExtractionASM=function(t,e){var r=[{name:"nVersion",len:4,offset:0},{name:"hashPrevouts",len:32,offset:4},{name:"hashSequence",len:32,offset:36},{name... ... L4: `)};ct.prototype._generateScriptLenExtractionASM=function(t,e){return["# \u{1F3AF} Extract scriptLen CompactSize varint ("+t.scriptLenSize+" bytes)","104 OP_SPLIT # Skip... L5: `)};ct.prototype._extractSpecificField=function(t,e){var r=e[t];return r?E.Buffer.from(r,"hex"):null};ct.prototype._interpretField=function(t,e,r){if(!e)return null;var n={raw:e.to... L6: `),Object.keys(t.wallets).length>0&&(Bt("\u{1F45B} Registered Wallets:"),Object.entries(t.wallets).forEach(([e,r])=>{Bt(` ${e}: ${r.utxos.length} UTXOs, ${r.totalValue} sats`)})),... ... L16: \u{1F9E9} Step ${A+1}: ${Te.Opcode.reverseMap[O.opcodenum]||"PUSH"}`),console.log("Stack:",Ln(x.stack)),console.log("AltStack:",Ln(x.altstack))}catch(T){console.log(`\u26A0\uFE0F E... L17: ===========================================`),console.log(
    High
    Obfuscated Payload Loader

    Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

    bsv-smartcontract.min.jsView on unpkg · L1
    test/data/blk86756-testnet.datView file
    •path = test/data/blk86756-testnet.dat kind = high_entropy_blob sizeBytes = 9500 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    test/data/blk86756-testnet.datView on unpkg
    •path = test/data/blk86756-testnet.dat kind = payload_in_excluded_dir sizeBytes = 9500 magicHex = [redacted]
    High
    Payload In Excluded Dir

    Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

    test/data/blk86756-testnet.datView on unpkg
    build/esbuild.jsView file
    •matchType = previous_version_dangerous_delta matchedPackage = @smartledger/bsv@6.1.0 matchedIdentity = npm:QHNtYXJ0bGVkZ2VyL2Jzdg:6.1.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    build/esbuild.jsView on unpkg

    Findings

    1 Critical4 High3 Medium8 Low
    CriticalPrevious Version Dangerous Deltabuild/esbuild.js
    HighObfuscated Payload Loaderbsv-smartcontract.min.js
    HighObfuscated
    HighShips High Entropy Blobtest/data/blk86756-testnet.dat
    HighPayload In Excluded Dirtest/data/blk86756-testnet.dat
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvalbsv-statuslist.min.js
    LowWeak Cryptolib/crypto/hash.node.js
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings