registry  /  @xuda.io/domains_module  /  1.0.20

@xuda.io/domains_module@1.0.20

Xuda Domains (Cloudflare Registrar) Server Module

AI Security Review

scanned 16m ago · by lpm-firewall-ai

Published configuration exposes credential material to package recipients. Runtime code is a platform-coupled Cloudflare domain-management module; no confirmed malware chain was found.

Static reason
One or more suspicious static signals were detected.
Trigger
Obtaining the package exposes `config_dev.json`; importing `index.mjs` loads XUDA platform modules, while exported operations invoke Cloudflare APIs.
Impact
Recipients may extract and misuse the embedded credentials; no source-confirmed host-data exfiltration or remote-code execution exists.
Mechanism
Embedded credential exposure and authenticated domain-management API calls.
Rationale
No concrete malicious execution behavior was established, but distributing credential material is a real high-severity supply-chain exposure. The dynamic imports and Cloudflare traffic are otherwise aligned with the stated domain-management purpose.
Evidence
package.jsonindex.mjsindex_ms.mjsindex_msa.mjsscripts/backfill_completed_transfer_registrations.mjsconfig_dev.json
Network endpoints2
api.cloudflare.com/client/v4cloudflare-dns.com/dns-query

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `config_dev.json` contains an npm token and private-key credential material.
  • `index.mjs` authenticates Cloudflare API requests from loaded configuration.
  • Importing `index.mjs` dynamically loads XUDA_HOME platform modules.
Evidence against
  • `package.json` defines no install lifecycle hooks.
  • No shell execution, eval, filesystem harvesting, or arbitrary payload download was found.
  • Network calls target Cloudflare registrar/DNS endpoints consistent with domain management.
  • The helper script requires explicit `--apply` before database writes.
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 303 KB of source, external domains: api.cloudflare.com, cloudflare-dns.com, dash.cloudflare.com

Source & flagged code

10 flagged · loading source
config_dev.jsonView file
5patternName = npm_token severity = critical line = 5 matchedText = "token":...SoD"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

config_dev.jsonView on unpkg · L5
5patternName = npm_token severity = critical line = 5 matchedText = "token":...SoD"
Critical
Secret Pattern

npm access token in config_dev.json

config_dev.jsonView on unpkg · L5
135patternName = private_key_rsa severity = critical line = 135 matchedText = "private...-\n"
Critical
Secret Pattern

RSA private key in config_dev.json

config_dev.jsonView on unpkg · L135
216patternName = private_key_rsa severity = critical line = 216 matchedText = "private...\n",
Critical
Secret Pattern

RSA private key in config_dev.json

config_dev.jsonView on unpkg · L216
228patternName = private_key_rsa severity = critical line = 228 matchedText = "private...\n",
Critical
Secret Pattern

RSA private key in config_dev.json

config_dev.jsonView on unpkg · L228
139patternName = stripe_test_secret severity = high line = 139 matchedText = "secret_...Ih",
High
Secret Pattern

Stripe test secret key in config_dev.json

config_dev.jsonView on unpkg · L139
140patternName = stripe_webhook_secret severity = high line = 140 matchedText = "webhook...0fA"
High
Secret Pattern

Stripe webhook signing secret in config_dev.json

config_dev.jsonView on unpkg · L140
195patternName = google_api_key severity = high line = 195 matchedText = "apiKey"...AA",
High
Secret Pattern

Google API key in config_dev.json

config_dev.jsonView on unpkg · L195
204patternName = google_api_key severity = high line = 204 matchedText = "apiKey"...1I",
High
Secret Pattern

Google API key in config_dev.json

config_dev.jsonView on unpkg · L204
index_ms.mjsView file
8L9: const { MessageBroker } = await import(path.join(process.env.XUDA_HOME, 'common', 'ms_broker.mjs')); L10:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index_ms.mjsView on unpkg · L8

Findings

5 Critical4 High3 Medium3 Low
CriticalCritical Secretconfig_dev.json
CriticalSecret Patternconfig_dev.json
CriticalSecret Patternconfig_dev.json
CriticalSecret Patternconfig_dev.json
CriticalSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
MediumDynamic Requireindex_ms.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings