AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time attack was found, but the CLI has user-invoked collection and transmission of hardware/user identifiers. Shell profile mutation is explicit via `datpath init`, not automatic during npm install.
Decision evidence
public snapshot- src/device.js collects username, MAC, disk, BIOS, and motherboard identifiers via execSync/read commands
- src/api.js attaches getDeviceInfo() to every command and POSTs to `${serverUrl}/remote/cli/request`
- bin/jsapi.js `init` explicitly appends shell integration lines to .bashrc/.zshrc/PowerShell profile
- api_manager.js contains hardcoded datpath.com upload endpoints and encryption key, but is not package main/bin
- package.json has no preinstall/install/postinstall lifecycle hooks
- bin/jsapi.js actions require explicit CLI commands such as login/init/push/pull/env
- Network target for main CLI is user-supplied login serverUrl, not a hidden fixed exfiltration host
- src/index.js only exports modules; no import-time network or filesystem mutation observed
- Credential storage is under ~/.datpath and uses local keychain/masterkey encryption
Source & flagged code
4 flagged · loading sourcePackage source references weak cryptographic algorithms.
api_manager.jsView on unpkg · L10This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/jsapi.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
bin/jsapi.jsView on unpkg · L6