registry  /  datpath  /  1.0.3

datpath@1.0.3

datpath - 代码分发与管理工具

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are aligned with an explicit code-distribution CLI: login config storage, user-directed API calls, pull/write package files, and optional shell prompt integration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user CLI commands such as login, init, pull, install, env, or directly running api_manager.js.
Impact
Can store entered credentials locally, modify shell prompt profiles, and download/upload code files when the user invokes those commands.
Mechanism
user-invoked CLI configuration, network API requests, and file writes
Rationale
Static inspection found sensitive-looking behavior, but it is tied to documented, explicit CLI workflows for a code distribution tool rather than install-time/import-time compromise or hidden exfiltration. The profile modification and network/file operations are user-invoked and package-aligned, so the scanner hints appear noisy rather than malicious.
Evidence
package.jsonsrc/index.jssrc/api.jssrc/config.jssrc/crypto.jsbin/jsapi.jsapi_manager.jstest_crypto.js~/.datpath/config.json~/.bashrc~/.zshrc~/Documents/WindowsPowerShell/Microsoft.PowerShell_profile.ps1~/Documents/PowerShell/Microsoft.PowerShell_profile.ps1./jsapi_modules/<packageName>/*<user-specified -dir>/**/*.md
Network endpoints3
<serverUrl>/remote/cli/requestapi-vip1.datpath.com/v2/codeup/default/0/jsapi/signature/checkapi-vip1.datpath.com/v2/codeup/default/0/jsapi/snapshot/push

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/jsapi.js user-invoked init appends shell profile integration to .bashrc/.zshrc/PowerShell profile.
  • src/config.js stores user-entered login uid/password under ~/.datpath/config.json.
  • api_manager.js contains hardcoded api-vip1.datpath.com upload endpoints and a static encryption key.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • src/index.js only exports config/api/crypto modules; no import-time execution beyond requires.
  • bin/jsapi.js network calls require explicit CLI commands and use configured or supplied server URLs.
  • Shell profile writes only occur after explicit `datpath init`, not at install or import time.
  • api_manager.js is not main or bin entrypoint and only uploads files from user-specified -dir when run directly.
  • No credential harvesting, hidden exfiltration, destructive actions, persistence on install, or AI-agent control-surface writes found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 49.0 KB of source, external domains: api-vip1.datpath.com

Source & flagged code

4 flagged · loading source
test_crypto.jsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pa...Xk="
Medium
Secret Pattern

Package contains a possible secret pattern.

test_crypto.jsView on unpkg · L3
api_manager.jsView file
10*/ L11: const axios = require("axios") L12: const fs = require("fs") L13: const path = require("path") L14: const FormData = require("form-data") L15: const crypto = require('crypto'); ... L44: let param = parseParam(args); L45: // 解码 Base64 密钥 L46: function aesEncrypt(data, key) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

api_manager.jsView on unpkg · L10
bin/jsapi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = datpath@1.0.2 matchedIdentity = npm:ZGF0cGF0aA:1.0.2 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/jsapi.jsView on unpkg
6const path = require("path") L7: const pkg = require("../package.json") L8: const config = require("../src/config") ... L13: input: process.stdin, L14: output: process.stdout, L15: }) ... L31: rl.close() L32: process.stdout.write("\n") L33: resolve(answer) ... L219: .command("init [shell]") L220: .description("初始化 shell 集成,提示符显示当前服务器 (自动检测或指定 powershell/bash/zsh)") L221: .action((shell) => {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/jsapi.jsView on unpkg · L6

Findings

1 Critical4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/jsapi.js
MediumSecret Patterntest_crypto.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/jsapi.js
LowScripts Present
LowWeak Cryptoapi_manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings