registry  /  brettai  /  0.2.8

brettai@0.2.8

Brett — coding agent

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious payload was found, but the package has a broad interactive coding-agent surface. The main unresolved risk is runtime self-update plus remote-model-mediated command and diff workflows.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the brett CLI, logs in, asks it to work on a project, accepts commands/diffs, or starts it from node_modules when a newer npm version exists.
Impact
May execute approved local commands, read user-mentioned project files, write accepted diffs, upload transcripts/outputs to its platform, and replace the global package with the latest npm release.
Mechanism
Interactive AI agent with network chat, gated shell execution, reviewed diff application, transcript sync, and runtime npm self-update.
Attack narrative
When the user runs brett, the CLI logs in through Supabase, streams chat to the Brett platform, can read selected repository files, can execute gated shell commands requested by the assistant, and can apply reviewed diffs. It also checks registry.npmjs.org and may run npm install -g brettai@latest --force automatically when installed from node_modules. These are dangerous capabilities, but source inspection shows them as visible interactive coding-agent behavior rather than stealth malware.
Rationale
Static inspection found a high-risk AI coding-agent design, especially self-update and shell/diff features, but no unconsented install-time execution or covert exfiltration beyond package-aligned logged-in agent workflows. Treat as warning-worthy dangerous capability rather than malicious malware.
Evidence
package.jsondist/index.js~/.brett/auth.json~/.brett/prefs.jsonuser-mentioned project filesaccepted diff target paths
Network endpoints4
szocqslnprdbvmwmsamf.supabase.covericlaw-coding-agent-production.up.railway.appregistry.npmjs.org/localhost:8000

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js runs user/AI-requested shell commands via child_process exec with command output sent back into the chat flow
  • dist/index.js can apply model-produced unified diffs to project files after interactive acceptance
  • dist/index.js auto-checks npm registry and can run npm install -g brettai@latest --force at runtime when installed under node_modules
  • dist/index.js posts transcripts, command output, selected file contents, memory, and billing/account requests to the Brett platform
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • bin entry is an interactive coding-agent CLI; shell, file read, diff write, and network behavior are core product features
  • command execution is gated: network tools are banned, destructive commands require confirmation, and diff writes go through review UI
  • Supabase JWT is an anon key used for login; credentials are user-entered only on brett login and stored under ~/.brett/auth.json
  • No evidence of stealth credential harvesting, persistence, destructive payloads, dependency confusion, or import-time execution
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 57.7 KB of source, external domains: registry.npmjs.org, szocqslnprdbvmwmsamf.supabase.co, vericlaw-coding-agent-production.up.railway.app

Source & flagged code

5 flagged · loading source
dist/index.jsView file
2patternName = supabase_service_key severity = critical line = 2 matchedText = var ar=O...${e}
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L2
2patternName = supabase_service_key severity = critical line = 2 matchedText = var ar=O...${e}
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index.js

dist/index.jsView on unpkg · L2
1#!/usr/bin/env node L2: var ar=Object.defineProperty;var Ot=(e,t)=>()=>(e&&(t=e(e=0)),t);var Ee=(e,t)=>{for(var n in t)ar(e,n,{get:t[n],enumerable:!0})};import{readFileSync as Sr,writeFileSync as Cr,mkdir... L3: ${t}`,o=r.match(/Logged in to [\w.]+ account (\S+)/i)||r.match(/Logged in to [\w.]+ as (\S+)/i);return n===0&&o?{installed:!0,authed:!0,account:o[1],detail:`Connected as ${o[1]}`}:...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: var ar=Object.defineProperty;var Ot=(e,t)=>()=>(e&&(t=e(e=0)),t);var Ee=(e,t)=>{for(var n in t)ar(e,n,{get:t[n],enumerable:!0})};import{readFileSync as Sr,writeFileSync as Cr,mkdir... L3: ${t}`,o=r.match(/Logged in to [\w.]+ account (\S+)/i)||r.match(/Logged in to [\w.]+ as (\S+)/i);return n===0&&o?{installed:!0,authed:!0,account:o[1],detail:`Connected as ${o[1]}`}:...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: var ar=Object.defineProperty;var Ot=(e,t)=>()=>(e&&(t=e(e=0)),t);var Ee=(e,t)=>{for(var n in t)ar(e,n,{get:t[n],enumerable:!0})};import{readFileSync as Sr,writeFileSync as Cr,mkdir... L3: ${t}`,o=r.match(/Logged in to [\w.]+ account (\S+)/i)||r.match(/Logged in to [\w.]+ as (\S+)/i);return n===0&&o?{installed:!0,authed:!0,account:o[1],detail:`Connected as ${o[1]}`}:... L4: `)}async function Pn(e){let t=et[e];if(!t)return`Unknown connector "${e}". Available: ${Object.keys(et).join(", ")}.`;let n=await t.check();return n.authed?`${t.name}: ${n.detail}....
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1

Findings

2 Critical3 High2 Medium4 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License