AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious payload was found, but the package contains a runtime AMQP-triggered dynamic code execution path. Install-time token handling writes a local .npmrc only when an enterprise env flag is set.
Decision evidence
public snapshot- package.json preinstall runs enable-ent when ENABLE_ENTERPRISE_MODULE is set and writes NPM_TOKEN into .npmrc.
- utils/jobs-worker-queue-manager/queueManagerClassV2.js consumes AMQP routing key functions and executes fdata.function via new Function.
- utils/jobs-worker-queue-manager/JobManagerV2.js has deprecated schedule(fn,payload) that serializes functions onto the functions queue.
- pubmodules/s/* is obfuscated payment/Stripe code, increasing review risk though source map names it payments.
- docs/api-dev.md contains example credentials/JWTs/project secrets in documentation.
- No unconditional install-time network call or import-time exfiltration found in package.json or bin/www.
- The .npmrc write is env-gated and appears intended to install private @tiledesk-ent optional modules, not to transmit credentials.
- bin/www starts an Express/WebSocket server for the declared Tiledesk product.
- AMQP, Stripe, Firebase, webhook, and email network use is server/product-aligned and configuration-driven.
- middleware/noentitycheck.js scanner dynamic-require hint is a simple Express middleware with no dynamic require.
- Documentation secrets appear to be examples/test tokens, not code paths that harvest or exfiltrate secrets.
Source & flagged code
38 flagged · loading sourceTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
docs/api-dev.mdView on unpkg · L49Package source references a known benign dynamic code generation pattern.
utils/jobs-worker-queue-manager/queueManagerClassV2.jsView on unpkg · L270Package source references dynamic require/import behavior.
middleware/noentitycheck.jsView on unpkg · L1Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js
pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L943Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js
pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L945Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js
pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L946Hardcoded password in pubmodules/sms/listener.js
pubmodules/sms/listener.jsView on unpkg · L26Hardcoded password in pubmodules/voice-twilio/listener.js
pubmodules/voice-twilio/listener.jsView on unpkg · L23Hardcoded password in pubmodules/voice/listener.js
pubmodules/voice/listener.jsView on unpkg · L32Hardcoded password in pubmodules/tilebot/listener.js
pubmodules/tilebot/listener.jsView on unpkg · L42Hardcoded password in pubmodules/whatsapp/listener.js
pubmodules/whatsapp/listener.jsView on unpkg · L26Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L159Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L208Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L235Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L259RSA private key in services/emailService.js
services/emailService.jsView on unpkg · L266