AI Security Review
scanned 3h ago · by lpm-firewall-aiNormal server startup loads an obfuscated Stripe module that writes Stripe credentials to configured application logs. The preinstall hook only conditionally creates a local npm credential file for enterprise dependencies; no AI-agent control surface is modified.
Decision evidence
public snapshot- `pubmodules/s/stripe/index.js` is obfuscated and reads Stripe secret environment variables.
- That module logs `apiKey`, `endpointSecret`, and `apiSecretKey` at import and webhook handling.
- `services/modulesManager.js` loads the Stripe module during normal server startup.
- `config/winston.js` writes info logs to console and `logs/app.log`.
- `package.json` preinstall conditionally writes `.npmrc` from `NPM_TOKEN`.
- No install hook downloads or executes a remote payload.
- No child-process, shell, native loader, or package-controlled exfiltration endpoint was found.
- The `.npmrc` write is guarded by `ENABLE_ENTERPRISE_MODULE` and targets npm registry configuration.
- `queueManagerClassV2.js` contains `new Function`, but its worker calls nonexistent `processMsg3`, not `processMsg2`.
Source & flagged code
39 flagged · loading sourceTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
docs/api-dev.mdView on unpkg · L49Package source references a known benign dynamic code generation pattern.
utils/jobs-worker-queue-manager/queueManagerClassV2.jsView on unpkg · L270Package source references dynamic require/import behavior.
middleware/noentitycheck.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
app.jsView on unpkgHardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js
pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L943Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js
pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L945Hardcoded password in pubmodules/cache/mongoose-cachegoose-fn.js
pubmodules/cache/mongoose-cachegoose-fn.jsView on unpkg · L946Hardcoded password in pubmodules/sms/listener.js
pubmodules/sms/listener.jsView on unpkg · L26Hardcoded password in pubmodules/voice-twilio/listener.js
pubmodules/voice-twilio/listener.jsView on unpkg · L23Hardcoded password in pubmodules/voice/listener.js
pubmodules/voice/listener.jsView on unpkg · L32Hardcoded password in pubmodules/tilebot/listener.js
pubmodules/tilebot/listener.jsView on unpkg · L42Hardcoded password in pubmodules/whatsapp/listener.js
pubmodules/whatsapp/listener.jsView on unpkg · L26Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L159Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L208Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L235Hardcoded password in test/authentication.js
test/authentication.jsView on unpkg · L259RSA private key in services/emailService.js
services/emailService.jsView on unpkg · L266