registry  /  @tiledesk/tiledesk-server  /  2.19.12

@tiledesk/tiledesk-server@2.19.12

The Tiledesk server module

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious payload was found, but the package contains a runtime AMQP-triggered dynamic code execution path. Install-time token handling writes a local .npmrc only when an enterprise env flag is set.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Runtime worker connected to AMQP queue, or install with ENABLE_ENTERPRISE_MODULE set.
Impact
Potential RCE if an attacker can publish to the configured AMQP functions queue; possible local credential residue in .npmrc.
Mechanism
AMQP-delivered JavaScript executed with new Function; env-gated .npmrc write.
Attack narrative
A deployed worker can bind an AMQP queue to routing key functions and, for messages containing a function field, instantiate and run it with new Function against supplied payload. This is not install-time malware and appears tied to the product's job-worker architecture, but it is a real dangerous capability if queue publishing is not tightly controlled.
Rationale
Static inspection does not support a malicious verdict: the lifecycle script is env-gated and local, and network behavior is aligned with a chat/server product. The unresolved AMQP new Function path is dangerous enough to warn rather than mark clean.
Evidence
package.jsonbin/wwwutils/jobs-worker-queue-manager/queueManagerClassV2.jsutils/jobs-worker-queue-manager/JobManagerV2.jsservices/aiManager.jsroutes/kb.jspubmodules/s/index.jsdocs/api-dev.md.npmrc
Network endpoints2
amqp://localhostregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json preinstall runs enable-ent when ENABLE_ENTERPRISE_MODULE is set and writes NPM_TOKEN into .npmrc.
  • utils/jobs-worker-queue-manager/queueManagerClassV2.js consumes AMQP routing key functions and executes fdata.function via new Function.
  • utils/jobs-worker-queue-manager/JobManagerV2.js has deprecated schedule(fn,payload) that serializes functions onto the functions queue.
  • pubmodules/s/* is obfuscated payment/Stripe code, increasing review risk though source map names it payments.
  • docs/api-dev.md contains example credentials/JWTs/project secrets in documentation.
Evidence against
  • No unconditional install-time network call or import-time exfiltration found in package.json or bin/www.
  • The .npmrc write is env-gated and appears intended to install private @tiledesk-ent optional modules, not to transmit credentials.
  • bin/www starts an Express/WebSocket server for the declared Tiledesk product.
  • AMQP, Stripe, Firebase, webhook, and email network use is server/product-aligned and configuration-driven.
  • middleware/noentitycheck.js scanner dynamic-require hint is a simple Express middleware with no dynamic require.
  • Documentation secrets appear to be examples/test tokens, not code paths that harvest or exfiltrate secrets.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 377 file(s), 2.33 MB of source, external domains: 34.65.210.38, api.elevenlabs.io, api.telegram.org, api.tiledesk.com, changeit.cloudfunctions.net, chat-v2-dev.firebaseio.com, console.tiledesk.com, developer.tiledesk.com, docs.tiledesk.com, graph.facebook.com, image.jpg, panel.tiledesk.com, securetoken.google.com, tiledesk.com, www.emanueleferonato.com, www.google.com, www.tiledesk.com, www.youtube.com

Source & flagged code

38 flagged · loading source
package.jsonView file
dependencies registry_only=@tiledesk-ent/tiledesk-server-enterprise,@tiledesk-ent/tiledesk-server-jwthistory,@tiledesk-ent/tiledesk-server-payments,@tiledesk-ent/tiledesk-server-request-history,@tiledesk-ent/tiledesk-server-visitorcounter
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.preinstall = if [ $ENABLE_ENTERPRISE_MODULE ]; then npm run enable-ent; fi
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
Runtime dependency names matching Node built-ins: http
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
scripts.preinstall = if [ $ENABLE_ENTERPRISE_MODULE ]; then npm run enable-ent; fi
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
docs/api-dev.mdView file
49patternName = supabase_service_key severity = critical line = 49 matchedText = eyJhbGci...9UGU
Critical
Critical Secret

Package contains a critical-looking secret pattern.

docs/api-dev.mdView on unpkg · L49
49patternName = supabase_service_key severity = critical line = 49 matchedText = eyJhbGci...9UGU
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L49
53patternName = supabase_service_key severity = critical line = 53 matchedText = -H "Auth...U" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L53
115patternName = supabase_service_key severity = critical line = 115 matchedText = -H "Auth...8" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L115
121patternName = supabase_service_key severity = critical line = 121 matchedText = -H "Auth...U" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L121
144patternName = supabase_service_key severity = critical line = 144 matchedText = -H "Auth...0" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L144
287patternName = supabase_service_key severity = critical line = 287 matchedText = -H "Auth...Q" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L287
351patternName = supabase_service_key severity = critical line = 351 matchedText = -H "Auth...M" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L351
459patternName = supabase_service_key severity = critical line = 459 matchedText = curl -v ...g" \
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L459
470patternName = supabase_service_key severity = critical line = 470 matchedText = curl -v ...ests
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L470
509patternName = supabase_service_key severity = critical line = 509 matchedText = curl -v ...ests
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L509
513patternName = supabase_service_key severity = critical line = 513 matchedText = curl -v ...eads
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L513
524patternName = supabase_service_key severity = critical line = 524 matchedText = curl -v ...463c
Critical
Secret Pattern

Supabase service role key (JWT) in docs/api-dev.md

docs/api-dev.mdView on unpkg · L524
utils/jobs-worker-queue-manager/queueManagerClassV2.jsView file
270L271: // eval(fdata.function) L272:
Low
Eval

Package source references a known benign dynamic code generation pattern.

utils/jobs-worker-queue-manager/queueManagerClassV2.jsView on unpkg · L270
middleware/noentitycheck.jsView file
1var winston = require('../config/winston'); L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

middleware/noentitycheck.jsView on unpkg · L1
archive.shView file
path = archive.sh kind = build_helper sizeBytes = 2865 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

archive.shView on unpkg
pubmodules/cache/mongoose-cachegoose-fn.jsView file
943patternName = generic_password severity = medium line = 943 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js

pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L943
945patternName = generic_password severity = medium line = 945 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js

pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L945
946patternName = generic_password severity = medium line = 946 matchedText = // winst...rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js

pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L946
pubmodules/sms/listener.jsView file
26patternName = generic_password severity = medium line = 26 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/sms/listener.js

pubmodules/sms/listener.jsView on unpkg · L26
pubmodules/voice-twilio/listener.jsView file
23patternName = generic_password severity = medium line = 23 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/voice-twilio/listener.js

pubmodules/voice-twilio/listener.jsView on unpkg · L23
pubmodules/voice/listener.jsView file
32patternName = generic_password severity = medium line = 32 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/voice/listener.js

pubmodules/voice/listener.jsView on unpkg · L32
pubmodules/tilebot/listener.jsView file
42patternName = generic_password severity = medium line = 42 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/tilebot/listener.js

pubmodules/tilebot/listener.jsView on unpkg · L42
pubmodules/whatsapp/listener.jsView file
26patternName = generic_password severity = medium line = 26 matchedText = winston....rd);
Medium
Secret Pattern

Hardcoded password in pubmodules/whatsapp/listener.js

pubmodules/whatsapp/listener.jsView on unpkg · L26
test/kbRoute.jsView file
195patternName = generic_password severity = medium line = 195 matchedText = .send({ ..." })
Medium
Secret Pattern

Hardcoded password in test/kbRoute.js

test/kbRoute.jsView on unpkg · L195
test/projectRoute.jsView file
64patternName = generic_password severity = medium line = 64 matchedText = .send({ ..." })
Medium
Secret Pattern

Hardcoded password in test/projectRoute.js

test/projectRoute.jsView on unpkg · L64
109patternName = generic_password severity = medium line = 109 matchedText = .send({ ..." })
Medium
Secret Pattern

Hardcoded password in test/projectRoute.js

test/projectRoute.jsView on unpkg · L109
test/authorization.jsView file
32patternName = generic_password severity = medium line = 32 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authorization.js

test/authorization.jsView on unpkg · L32
test/authentication.jsView file
159patternName = generic_password severity = medium line = 159 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L159
208patternName = generic_password severity = medium line = 208 matchedText = // ..." })
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L208
235patternName = generic_password severity = medium line = 235 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L235
259patternName = generic_password severity = medium line = 259 matchedText = var pwd ...4!";
Medium
Secret Pattern

Hardcoded password in test/authentication.js

test/authentication.jsView on unpkg · L259
docs/deploy.mdView file
60patternName = private_key_rsa severity = critical line = 60 matchedText = FIREBASE...MXYX
Critical
Secret Pattern

RSA private key in docs/deploy.md

docs/deploy.mdView on unpkg · L60
services/emailService.jsView file
266patternName = private_key_rsa severity = critical line = 266 matchedText = // pri.....",
Critical
Secret Pattern

RSA private key in services/emailService.js

services/emailService.jsView on unpkg · L266

Findings

16 Critical3 High22 Medium7 Low
CriticalCritical Secretdocs/api-dev.md
CriticalManifest Confusionpackage.json
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/api-dev.md
CriticalSecret Patterndocs/deploy.md
CriticalSecret Patternservices/emailService.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated
HighNode Builtin Dependency Squatpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiremiddleware/noentitycheck.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperarchive.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpubmodules/cache/mongoose-cachegoose-fn.js
MediumSecret Patternpubmodules/cache/mongoose-cachegoose-fn.js
MediumSecret Patternpubmodules/cache/mongoose-cachegoose-fn.js
MediumSecret Patternpubmodules/sms/listener.js
MediumSecret Patternpubmodules/voice-twilio/listener.js
MediumSecret Patternpubmodules/voice/listener.js
MediumSecret Patternpubmodules/tilebot/listener.js
MediumSecret Patternpubmodules/whatsapp/listener.js
MediumSecret Patterntest/kbRoute.js
MediumSecret Patterntest/projectRoute.js
MediumSecret Patterntest/projectRoute.js
MediumSecret Patterntest/authorization.js
MediumSecret Patterntest/authentication.js
MediumSecret Patterntest/authentication.js
MediumSecret Patterntest/authentication.js
MediumSecret Patterntest/authentication.js
LowScripts Present
LowEvalutils/jobs-worker-queue-manager/queueManagerClassV2.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License