registry  /  cryptflex  /  1.0.2

cryptflex@1.0.2

A flexible, modern password hashing library with pluggable backends

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time or import-time malware behavior was found. The remaining risk is runtime leakage of sensitive password verification data to local logs for the bcrypt backend.

Static reason
One or more suspicious static signals were detected.
Trigger
Application calls PasswordHasher.verify() with backend 'bcrypt'.
Impact
Plaintext passwords or password-derived verification data may appear in application logs.
Mechanism
debug console logging of password/hash material
Attack narrative
When an application uses the bcrypt backend and calls verify(), the package prints the supplied password and hash-related objects to stdout. This is not network exfiltration or install-time compromise, but it can expose credentials in logs during normal runtime use.
Rationale
Source inspection shows no lifecycle hook, persistence, network exfiltration, or agent hijack behavior, but bcrypt verification contains explicit debug logging of sensitive inputs. This is a real security risk but not confirmed malicious package behavior.
Evidence
package.jsonsrc/index.jssrc/core/passwordHasher.jssrc/utils/phc.jssrc/core/types.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • src/core/passwordHasher.js bcrypt verify logs plaintext password, salt, hash object, params, reconstructed hash, and compare result to console.
  • Runtime credential logging is activated by user-invoked verify() when backend is bcrypt.
Evidence against
  • package.json has no npm lifecycle hooks and main is src/index.js only.
  • src/index.js only exports PasswordHasher.
  • No fs writes, child_process, eval/vm/Function, dynamic remote loading, persistence, or agent control-surface writes found.
  • No runtime network calls or exfiltration endpoints found.
  • Password hashing code is package-aligned and uses crypto/argon2/bcryptjs/scrypt backends.
Behavioral surface
Source
Crypto
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 23.5 KB of source

Source & flagged code

2 flagged · loading source
src/core/passwordHasher.jsView file
428patternName = generic_password severity = medium line = 428 matchedText = console....rd);
Medium
Secret Pattern

Package contains a possible secret pattern.

src/core/passwordHasher.jsView on unpkg · L428
README.mdView file
148patternName = generic_password severity = medium line = 148 matchedText = console....true
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L148

Findings

2 Medium1 Low
MediumSecret Patternsrc/core/passwordHasher.js
MediumSecret PatternREADME.md
LowScripts Present