AI Security Review
scanned 18m ago · by lpm-firewall-aiPublished configuration exposes credential material to package recipients. Runtime code is a platform-coupled Cloudflare domain-management module; no confirmed malware chain was found.
Static reason
One or more suspicious static signals were detected.
Trigger
Obtaining the package exposes `config_dev.json`; importing `index.mjs` loads XUDA platform modules, while exported operations invoke Cloudflare APIs.
Impact
Recipients may extract and misuse the embedded credentials; no source-confirmed host-data exfiltration or remote-code execution exists.
Mechanism
Embedded credential exposure and authenticated domain-management API calls.
Rationale
No concrete malicious execution behavior was established, but distributing credential material is a real high-severity supply-chain exposure. The dynamic imports and Cloudflare traffic are otherwise aligned with the stated domain-management purpose.
Evidence
package.jsonindex.mjsindex_ms.mjsindex_msa.mjsscripts/backfill_completed_transfer_registrations.mjsconfig_dev.json
Network endpoints2
api.cloudflare.com/client/v4cloudflare-dns.com/dns-query
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `config_dev.json` contains an npm token and private-key credential material.
- `index.mjs` authenticates Cloudflare API requests from loaded configuration.
- Importing `index.mjs` dynamically loads XUDA_HOME platform modules.
Evidence against
- `package.json` defines no install lifecycle hooks.
- No shell execution, eval, filesystem harvesting, or arbitrary payload download was found.
- Network calls target Cloudflare registrar/DNS endpoints consistent with domain management.
- The helper script requires explicit `--apply` before database writes.
Behavioral surface
CryptoDynamicRequireEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
10 flagged · loading sourceconfig_dev.jsonView file
5patternName = npm_token
severity = critical
line = 5
matchedText = "token":...SoD"
Critical
5patternName = npm_token
severity = critical
line = 5
matchedText = "token":...SoD"
Critical
135patternName = private_key_rsa
severity = critical
line = 135
matchedText = "private...-\n"
Critical
216patternName = private_key_rsa
severity = critical
line = 216
matchedText = "private...\n",
Critical
228patternName = private_key_rsa
severity = critical
line = 228
matchedText = "private...\n",
Critical
139patternName = stripe_test_secret
severity = high
line = 139
matchedText = "secret_...Ih",
High
140patternName = stripe_webhook_secret
severity = high
line = 140
matchedText = "webhook...0fA"
High
195patternName = google_api_key
severity = high
line = 195
matchedText = "apiKey"...AA",
High
204patternName = google_api_key
severity = high
line = 204
matchedText = "apiKey"...1I",
High
index_ms.mjsView file
8L9: const { MessageBroker } = await import(path.join(process.env.XUDA_HOME, 'common', 'ms_broker.mjs'));
L10:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
index_ms.mjsView on unpkg · L8Findings
5 Critical4 High3 Medium3 Low
CriticalCritical Secretconfig_dev.json
CriticalSecret Patternconfig_dev.json
CriticalSecret Patternconfig_dev.json
CriticalSecret Patternconfig_dev.json
CriticalSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
HighSecret Patternconfig_dev.json
MediumDynamic Requireindex_ms.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings