registry  /  abler-drm-tool  /  1.0.100

abler-drm-tool@1.0.100

开发者远程维护工具

AI Security Review

scanned 9d ago · by lpm-firewall-ai

The package is a disclosed remote maintenance router with command execution, database, Redis, and code file transfer capabilities. These are high-risk if mounted on an exposed Express app, but source inspection does not show covert install-time or import-time malware.

Static reason
One or more suspicious static signals were detected.
Trigger
User integrates drmRouter in Express and sends authenticated/encrypted maintenance requests
Impact
Remote command execution and file read/write through the mounted maintenance API if access controls are misconfigured or keys are compromised
Mechanism
developer-invoked remote administration and command execution
Attack narrative
When a host application explicitly mounts drmRouter, requests to the maintenance endpoint can run configured database/Redis actions, transfer code files, forward requests to configured hosts, and execute shell commands through child_process.exec. The implementation includes private-key/encrypted request checks and the README frames this as a developer maintenance tool, so the risk is a dangerous exposed capability rather than covert package malware.
Rationale
Static inspection confirms powerful remote administration primitives, but they are disclosed, user-invoked, and not activated by install or import alone. Treat as a warn-level dangerous capability rather than malicious publication-blocking malware.
Evidence
package.jsonREADME.mddist/cjs/pp-util.jscert/drmPrivateKey.pemcert/drmPublicKey.pemparams.fileName via uploadCodeFile/downloadCodeFile/loadFileContent
Network endpoints4
/AD42F6697B035B7580E4FEF93BE20B4D/:destEnvType/:command/AD42F6697B035B7580E4FEF93BE20B4D/:destEnvType/:command/:_function${qryEnvId}/api/AD42F6697B035B7580E4FEF93BE20B4D/${params.queryFrom}/dbQuery${postEnvId}/api/AD42F6697B035B7580E4FEF93BE20B4D/${params.insertTo}/dbExec

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cjs/pp-util.js exposes Express routes under /AD42F6697B035B7580E4FEF93BE20B4D/:destEnvType/:command.
  • dist/cjs/pp-util.js command 'exec' reaches childProcess.exec(params.cmd).
  • dist/cjs/pp-util.js codeFile upload/download can write and read arbitrary resolved file paths.
  • dist/cjs/pp-util.js forwards requests to configured hosts/URLs and disables TLS verification in urllib options.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook.
  • README.md describes this as a developer remote maintenance tool and shows explicit Express router integration.
  • dist/cjs/pp-util.js requires encrypted request parameters or developer private key for remote operations.
  • No credential harvesting, persistence, AI-agent mutation, or import-time execution found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 98.3 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: child_process
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings