registry  /  abler-drm-tool  /  1.0.110

abler-drm-tool@1.0.110

开发者远程维护工具

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package deliberately provides a runtime remote-maintenance API with shell execution, database/Redis operations, and code-file transfer. It is activated only after a host application configures and mounts its exported router; no install-time attack surface was found.

Static reason
One or more suspicious static signals were detected.
Trigger
A host application calls `drmTool.config()` and mounts `drmRouter`, then a client invokes `/AD42F6697B035B7580E4FEF93BE20B4D/:destEnvType/:command`.
Impact
Authorized or improperly exposed callers could execute commands, alter data, or transfer code/files on the hosting environment.
Mechanism
Developer-gated remote maintenance, including arbitrary shell command execution and configured file forwarding.
Rationale
Source inspection confirms a high-impact, intentionally user-invoked remote-administration capability rather than covert install-time malware. Flag as a warning because safe deployment depends on correct application configuration and access control.
Evidence
package.jsonREADME.mddist/cjs/pp-util.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cjs/pp-util.js` exposes an `exec` command that passes supplied commands to `childProcess.exec`.
  • The Express router exposes remote maintenance endpoints for SQL, Redis, file upload/download, logs, and command execution.
  • Configured `uploadUrl` and forwarding targets can transmit file contents to remote maintenance endpoints.
  • TLS requests disable certificate verification with `rejectUnauthorized: false`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `README.md` describes an explicitly integrated developer remote-maintenance service.
  • Command dispatch calls `sureNoDangers` and remote forwarding requires a configured developer private key and allowed client hosts.
  • No hard-coded external host, credential-harvesting routine, AI-agent control-surface mutation, or import-time network action was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 98.1 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: child_process
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings