registry  /  @tiledesk/tiledesk-server  /  2.19.13

@tiledesk/tiledesk-server@2.19.13

The Tiledesk server module

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Normal server startup loads an obfuscated Stripe module that writes Stripe credentials to configured application logs. The preinstall hook only conditionally creates a local npm credential file for enterprise dependencies; no AI-agent control surface is modified.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Import/start `app.js`; separately npm preinstall with `ENABLE_ENTERPRISE_MODULE` set
Impact
Stripe credentials may be exposed to console, log files, or optionally configured MongoDB log storage.
Mechanism
Logs sensitive environment credentials; conditionally writes local npm credentials
Rationale
The package is not confirmed malicious, but it contains an automatically triggered credential-logging flaw and opaque payment code that warrant a warning. No concrete malicious payload or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonpubmodules/s/stripe/index.jsservices/modulesManager.jsconfig/winston.jsutils/jobs-worker-queue-manager/queueManagerClassV2.jslogs/app.log.npmrc

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `pubmodules/s/stripe/index.js` is obfuscated and reads Stripe secret environment variables.
  • That module logs `apiKey`, `endpointSecret`, and `apiSecretKey` at import and webhook handling.
  • `services/modulesManager.js` loads the Stripe module during normal server startup.
  • `config/winston.js` writes info logs to console and `logs/app.log`.
  • `package.json` preinstall conditionally writes `.npmrc` from `NPM_TOKEN`.
Evidence against
  • No install hook downloads or executes a remote payload.
  • No child-process, shell, native loader, or package-controlled exfiltration endpoint was found.
  • The `.npmrc` write is guarded by `ENABLE_ENTERPRISE_MODULE` and targets npm registry configuration.
  • `queueManagerClassV2.js` contains `new Function`, but its worker calls nonexistent `processMsg3`, not `processMsg2`.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 382 file(s), 2.37 MB of source, external domains: 34.65.210.38, api.elevenlabs.io, api.telegram.org, api.tiledesk.com, changeit.cloudfunctions.net, chat-v2-dev.firebaseio.com, console.tiledesk.com, developer.tiledesk.com, docs.tiledesk.com, graph.facebook.com, image.jpg, panel.tiledesk.com, securetoken.google.com, tiledesk.com, www.emanueleferonato.com, www.google.com, www.tiledesk.com, www.youtube.com

Source & flagged code

39 flagged · loading source
package.jsonView file
dependencies registry_only=@tiledesk-ent/tiledesk-server-enterprise,@tiledesk-ent/tiledesk-server-jwthistory,@tiledesk-ent/tiledesk-server-payments,@tiledesk-ent/tiledesk-server-request-history,@tiledesk-ent/tiledesk-server-visitorcounter
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.preinstall = if [ $ENABLE_ENTERPRISE_MODULE ]; then npm run enable-ent; fi
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
Runtime dependency names matching Node built-ins: http
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
scripts.preinstall = if [ $ENABLE_ENTERPRISE_MODULE ]; then npm run enable-ent; fi
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
docs/api-dev.mdView file
49patternName = supabase_service_key severity = critical line = 49 matchedText = eyJhbGci...9UGU
Critical
Critical Secret

Package contains a critical-looking secret pattern.

docs/api-dev.mdView on unpkg · L49
49patternName = supabase_service_key severity = critical line = 49 matchedText = eyJhbGci...9UGU
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L49
53patternName = supabase_service_key severity = critical line = 53 matchedText = -H "Auth...U" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L53
115patternName = supabase_service_key severity = critical line = 115 matchedText = -H "Auth...8" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L115
121patternName = supabase_service_key severity = critical line = 121 matchedText = -H "Auth...U" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L121
144patternName = supabase_service_key severity = critical line = 144 matchedText = -H "Auth...0" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L144
287patternName = supabase_service_key severity = critical line = 287 matchedText = -H "Auth...Q" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L287
351patternName = supabase_service_key severity = critical line = 351 matchedText = -H "Auth...M" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L351
459patternName = supabase_service_key severity = critical line = 459 matchedText = curl -v ...g" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L459
470patternName = supabase_service_key severity = critical line = 470 matchedText = curl -v ...ests
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L470
509patternName = supabase_service_key severity = critical line = 509 matchedText = curl -v ...ests
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L509
513patternName = supabase_service_key severity = critical line = 513 matchedText = curl -v ...eads
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L513
524patternName = supabase_service_key severity = critical line = 524 matchedText = curl -v ...463c
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L524
utils/jobs-worker-queue-manager/queueManagerClassV2.jsView file
270L271: // eval(fdata.function) L272:
Low
Eval

Package source references a known benign dynamic code generation pattern.

utils/jobs-worker-queue-manager/queueManagerClassV2.jsView on unpkg · L270
middleware/noentitycheck.jsView file
1var winston = require('../config/winston'); L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

middleware/noentitycheck.jsView on unpkg · L1
archive.shView file
path = archive.sh kind = build_helper sizeBytes = 2865 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

archive.shView on unpkg
app.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @tiledesk/tiledesk-server@2.19.12 matchedIdentity = npm:[redacted]:2.19.12 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

app.jsView on unpkg
pubmodules/cache/mongoose-cachegoose-fn.jsView file
943patternName = generic_password severity = medium line = 943 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js

pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L943
945patternName = generic_password severity = medium line = 945 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js

pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L945
946patternName = generic_password severity = medium line = 946 matchedText = // winst...rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js

pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L946
pubmodules/sms/listener.jsView file
26patternName = generic_password severity = medium line = 26 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/sms/listener.js

pubmodules/sms/listener.jsView on unpkg · L26
pubmodules/voice-twilio/listener.jsView file
23patternName = generic_password severity = medium line = 23 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/voice-twilio/listener.js

pubmodules/voice-twilio/listener.jsView on unpkg · L23
pubmodules/voice/listener.jsView file
32patternName = generic_password severity = medium line = 32 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/voice/listener.js

pubmodules/voice/listener.jsView on unpkg · L32
pubmodules/tilebot/listener.jsView file
42patternName = generic_password severity = medium line = 42 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/tilebot/listener.js

pubmodules/tilebot/listener.jsView on unpkg · L42
pubmodules/whatsapp/listener.jsView file
26patternName = generic_password severity = medium line = 26 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/whatsapp/listener.js

pubmodules/whatsapp/listener.jsView on unpkg · L26
test/kbRoute.jsView file
195patternName = generic_password severity = medium line = 195 matchedText = .send({ ..." })
Medium
Secret Pattern

Hardcoded password in test/kbRoute.js

test/kbRoute.jsView on unpkg · L195
test/projectRoute.jsView file
64patternName = generic_password severity = medium line = 64 matchedText = .send({ ..." })
Medium
Secret Pattern

Hardcoded password in test/projectRoute.js

test/projectRoute.jsView on unpkg · L64
109patternName = generic_password severity = medium line = 109 matchedText = .send({ ..." })
Medium
Secret Pattern

Hardcoded password in test/projectRoute.js

test/projectRoute.jsView on unpkg · L109
test/authorization.jsView file
32patternName = generic_password severity = medium line = 32 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authorization.js

test/authorization.jsView on unpkg · L32
test/authentication.jsView file
159patternName = generic_password severity = medium line = 159 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L159
208patternName = generic_password severity = medium line = 208 matchedText = // ..." })
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L208
235patternName = generic_password severity = medium line = 235 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L235
259patternName = generic_password severity = medium line = 259 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L259
docs/deploy.mdView file
60patternName = private_key_rsa severity = critical line = 60 matchedText = FIREBASE...MXYX
Critical
Secret Pattern

RSA private key in docs/deploy.md

docs/deploy.mdView on unpkg · L60
services/emailService.jsView file
266patternName = private_key_rsa severity = critical line = 266 matchedText = // pri.....",
Critical
Secret Pattern

RSA private key in services/emailService.js

services/emailService.jsView on unpkg · L266

Findings

16 Critical4 High22 Medium7 Low
CriticalCritical Secretdocs/api-dev.md
CriticalManifest Confusionpackage.json
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/deploy.md
CriticalSecret Patternservices/emailService.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltaapp.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiremiddleware/noentitycheck.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperarchive.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpubmodules/cache/mongoose-cachegoose-fn.js
MediumSecret Patternpubmodules/cache/mongoose-cachegoose-fn.js
MediumSecret Patternpubmodules/cache/mongoose-cachegoose-fn.js
MediumSecret Patternpubmodules/sms/listener.js
MediumSecret Patternpubmodules/voice-twilio/listener.js
MediumSecret Patternpubmodules/voice/listener.js
MediumSecret Patternpubmodules/tilebot/listener.js
MediumSecret Patternpubmodules/whatsapp/listener.js
MediumSecret Patterntest/kbRoute.js
MediumSecret Patterntest/projectRoute.js
MediumSecret Patterntest/projectRoute.js
MediumSecret Patterntest/authorization.js
MediumSecret Patterntest/authentication.js
MediumSecret Patterntest/authentication.js
MediumSecret Patterntest/authentication.js
MediumSecret Patterntest/authentication.js
LowScripts Present
LowEvalutils/jobs-worker-queue-manager/queueManagerClassV2.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License