registry  /  cb-institution  /  1.0.2

cb-institution@1.0.2

A CLI tool to initialize full-stack dashboards, landing pages, and servers.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No install-time malware was confirmed. The real risk is generated boilerplate shipping embedded live-looking secrets and default external service endpoints, which can connect generated apps to third-party infrastructure if copied into .env or followed from template docs.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs cb-institution, selects a template, installs dependencies, and runs the generated app.
Impact
Potential credential exposure and accidental use of publisher-controlled or third-party services by generated projects; no confirmed exfiltration by the npm CLI itself.
Mechanism
interactive template scaffolding with embedded secrets/default external endpoints
Attack narrative
The package is a CLI scaffolder. Running the binary prompts for a project name and template, then copies files from templates into the user’s working directory. I found no lifecycle execution, CLI network activity, shell execution, eval, or credential harvesting. However, server/dashboard/landing templates include live-looking credentials and hardcoded external service defaults that could be used by generated applications if users adopt the provided environment files or README guidance.
Rationale
Static source inspection does not support a malicious verdict for the npm package itself, but embedded live-looking secrets and default external endpoints in generated templates are a real supply-chain risk worth warning on. Scanner phishing/network findings are largely package-aligned UI behavior rather than covert exfiltration.
Evidence
package.jsonbin/index.jsREADME.mdtemplates/server/local.envtemplates/server/src/config/index.tstemplates/server/src/server.tstemplates/madrasah-landing-page/src/app/default/WhatsAppIcon.tsxtemplates/dashboard/README.mdtemplates/dashboard/local.envtemplates/madrasah-landing-page/local.env
Network endpoints7
mongodb+srv://cluster0.541tyao.mongodb.net/institutionDBsmtp.gmail.comfreeimage.host/api/1/uploadschool-server-zeta.vercel.app/api/v1wa.me/edux-profile.codebiruni.com/codebiruni.com/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • templates/server/local.env contains live-looking MongoDB Atlas URI, JWT secrets, email password, Gemini key, SSLCommerz password, and image-host API key.
  • templates/server/src/config/index.ts loads secrets from .env and templates/server/src/server.ts connects to configured MongoDB at runtime.
  • README.md instructs users to run generated template with npm run dev after scaffolding; templates/dashboard/README.md tells users to create .env with external API URL.
  • bin/index.js copies selected template recursively into a user-named project directory.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • bin/index.js is an interactive scaffolder using inquirer and fs.copy; no network, shell execution, eval, or credential harvesting in the CLI.
  • WhatsAppIcon.tsx fetches package-aligned contact info and opens wa.me only after user contact click.
  • High-entropy image blobs are template assets, not loaded executables; no native binaries or executable template files found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,166 file(s), 6.67 MB of source, external domains: catalyst-seven-kappa.vercel.app, cdn.arabsstock.com, codebiruni.com, discord.com, edux-dashboard.codebiruni.com, edux-mclient.codebiruni.com, edux-profile.codebiruni.com, edux-sclient.codebiruni.com, edux-student.codebiruni.com, example.com, facebook.com, flickr.com, fonts.googleapis.com, github.com, i.ibb.co, i.postimg.cc, img.freepik.com, img.youtube.com, instagram.com, institution-dashboard-liard.vercel.app, institution-profile.vercel.app, linkedin.com, media.istockphoto.com, pinterest.com, quora.com, reddit.com, schema.org, sciendo.com, t.me, tum-verify.vercel.app, tumblr.com, twitter.com, via.placeholder.com, vimeo.com, wa.me, web.whatsapp.com, www.codebiruni.com, www.facebook.com, www.google.com, www.googletagmanager.com, www.nrmmcumilla.com, www.shutterstock.com, www.youtube.com, your-institution.vercel.app, youtu.be, youtube.com

Source & flagged code

5 flagged · loading source
templates/server/local.envView file
18patternName = google_api_key severity = high line = 18 matchedText = GEMINI_A...kypQ
High
High Secret

Package contains a high-severity secret pattern.

templates/server/local.envView on unpkg · L18
18patternName = google_api_key severity = high line = 18 matchedText = GEMINI_A...kypQ
High
Secret Pattern

Google API key in templates/server/local.env

templates/server/local.envView on unpkg · L18
templates/madrasah-landing-page/src/app/default/WhatsAppIcon.tsxView file
37try { L38: const response = await fetch(`${process.env.NEXT_PUBLIC_API_URL}/contact-info`) L39: const data = await response.json() L40: ... L94: const whatsappUrl = `https://wa.me/${whatsappNumber}?text=${encodedMessage}` L95: window.open(whatsappUrl, '_blank', 'noopener,noreferrer') L96: break
Critical
Browser Phishing Redirect

Source redirects browser users to an external URL carrying identity material.

templates/madrasah-landing-page/src/app/default/WhatsAppIcon.tsxView on unpkg · L37
templates/server/src/public/contact.jfifView file
path = [redacted].jfif kind = high_entropy_blob sizeBytes = 5747 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

templates/server/src/public/contact.jfifView on unpkg
templates/server/src/app.tsView file
47patternName = generic_password severity = medium line = 47 matchedText = // const...ssl'
Medium
Secret Pattern

Hardcoded password in templates/server/src/app.ts

templates/server/src/app.tsView on unpkg · L47

Findings

1 Critical3 High4 Medium4 Low
CriticalBrowser Phishing Redirecttemplates/madrasah-landing-page/src/app/default/WhatsAppIcon.tsx
HighHigh Secrettemplates/server/local.env
HighShips High Entropy Blobtemplates/server/src/public/contact.jfif
HighSecret Patterntemplates/server/local.env
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterntemplates/server/src/app.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings