registry  /  abler-drm-tool  /  1.0.106

abler-drm-tool@1.0.106

开发者远程维护工具

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The runtime router provides authenticated/configured remote maintenance operations, including arbitrary shell execution and file deployment. It is not install-time behavior, but deployment or exposure of the router creates a high-impact administrative control surface.

Static reason
One or more suspicious static signals were detected.
Trigger
An application calls `drmTool.config(...)`, mounts `drmRouter`, and receives a qualifying maintenance request.
Impact
A requester able to satisfy or reach its runtime controls can execute commands and alter or retrieve server files and data.
Mechanism
HTTP command dispatcher invokes shell commands, file operations, database/Redis actions, and remote forwarding.
Rationale
Source inspection confirms a user-integrated remote maintenance/RCE tool, not a covert install-time malicious payload. Flag it for warning because its exposed runtime capability is intrinsically high impact and network forwarding disables certificate verification.
Evidence
package.jsonREADME.mddist/cjs/pp-util.js

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cjs/pp-util.js` exposes HTTP maintenance routes that dispatch an `exec` command to `child_process.exec`.
  • The same router supports reading, writing, uploading, downloading, and copying caller-selected files.
  • It forwards encrypted maintenance requests to configuration-derived remote URLs with TLS verification disabled.
  • No install lifecycle hook is declared in `package.json`; dangerous actions require runtime configuration and router mounting.
Evidence against
  • `README.md` describes the package as a developer remote-maintenance tool and shows explicit Express router integration.
  • `package.json` ships only `dist` and has no `preinstall`, `install`, or `postinstall` script.
  • `dist/cjs/pp-util.js` restricts commands to a fixed dispatcher and includes confirmation checks for some production operations.
  • No hard-coded exfiltration endpoint, credential harvesting, stealth persistence, or AI-agent control-surface mutation was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 98.1 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: child_process
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings