AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time or import-time malware behavior was found. The remaining risk is runtime leakage of sensitive password verification data to local logs for the bcrypt backend.
Static reason
One or more suspicious static signals were detected.
Trigger
Application calls PasswordHasher.verify() with backend 'bcrypt'.
Impact
Plaintext passwords or password-derived verification data may appear in application logs.
Mechanism
debug console logging of password/hash material
Attack narrative
When an application uses the bcrypt backend and calls verify(), the package prints the supplied password and hash-related objects to stdout. This is not network exfiltration or install-time compromise, but it can expose credentials in logs during normal runtime use.
Rationale
Source inspection shows no lifecycle hook, persistence, network exfiltration, or agent hijack behavior, but bcrypt verification contains explicit debug logging of sensitive inputs. This is a real security risk but not confirmed malicious package behavior.
Evidence
package.jsonsrc/index.jssrc/core/passwordHasher.jssrc/utils/phc.jssrc/core/types.js
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- src/core/passwordHasher.js bcrypt verify logs plaintext password, salt, hash object, params, reconstructed hash, and compare result to console.
- Runtime credential logging is activated by user-invoked verify() when backend is bcrypt.
Evidence against
- package.json has no npm lifecycle hooks and main is src/index.js only.
- src/index.js only exports PasswordHasher.
- No fs writes, child_process, eval/vm/Function, dynamic remote loading, persistence, or agent control-surface writes found.
- No runtime network calls or exfiltration endpoints found.
- Password hashing code is package-aligned and uses crypto/argon2/bcryptjs/scrypt backends.
Behavioral surface
Crypto
Source & flagged code
2 flagged · loading sourcesrc/core/passwordHasher.jsView file
428patternName = generic_password
severity = medium
line = 428
matchedText = console....rd);
Medium
Secret Pattern
Package contains a possible secret pattern.
src/core/passwordHasher.jsView on unpkg · L428README.mdView file
148patternName = generic_password
severity = medium
line = 148
matchedText = console....true
Medium
Findings
2 Medium1 Low
MediumSecret Patternsrc/core/passwordHasher.js
MediumSecret PatternREADME.md
LowScripts Present