registry  /  datpath  /  1.0.5

datpath@1.0.5

datpath - 代码分发与管理工具

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky primitives are tied to explicit CLI workflows for a code distribution tool rather than install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs datpath CLI commands such as login, init, pull, env, install, or node api_manager.js submit.
Impact
Can write datpath config/masterkey files and optional shell profile lines, and can send user-selected package data to configured or datpath service endpoints.
Mechanism
User-invoked CLI network operations, local datpath config storage, and optional shell prompt integration.
Rationale
Static inspection found suspicious primitives, but they are activated by documented/user-invoked CLI commands and align with the package's stated code-distribution and server-management purpose. There is no lifecycle execution, import-time execution, hidden credential collection, or unconsented persistence/exfiltration sufficient to classify datpath@1.0.5 as malicious.
Evidence
package.jsonsrc/index.jssrc/config.jssrc/api.jssrc/keychain.jsbin/jsapi.jsapi_manager.jstest_crypto.js~/.datpath/config.json~/.datpath/.masterkey~/.datpath/.masterkey.dpapi~/.bashrc~/.zshrc~/Documents/WindowsPowerShell/Microsoft.PowerShell_profile.ps1~/Documents/PowerShell/Microsoft.PowerShell_profile.ps1./jsapi_modules/<packageName>/<server-provided files>
Network endpoints3
${serverUrl}/remote/cli/requestapi-vip1.datpath.com/v2/codeup/default/0/jsapi/signature/checkapi-vip1.datpath.com/v2/codeup/default/0/jsapi/snapshot/push

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • api_manager.js has a hardcoded AES key and can upload selected .md package content to https://api-vip1.datpath.com when run manually.
  • bin/jsapi.js init command appends shell integration to ~/.bashrc, ~/.zshrc, or PowerShell profile.
  • src/keychain.js uses execSync for OS credential-store commands, scoped to datpath master key storage.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • src/index.js only exports modules; no import-time network, shell, or profile mutation.
  • bin/jsapi.js profile writes require explicit `datpath init`; network actions require explicit CLI commands and login.
  • src/api.js sends encrypted command objects only to user-configured serverUrl /remote/cli/request.
  • src/config.js stores datpath credentials under ~/.datpath/config.json with local encryption/migration logic.
  • No credential harvesting, hidden exfiltration, persistence at install time, destructive behavior, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 55.0 KB of source, external domains: api-vip1.datpath.com

Source & flagged code

4 flagged · loading source
test_crypto.jsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pa...Xk="
Medium
Secret Pattern

Package contains a possible secret pattern.

test_crypto.jsView on unpkg · L3
api_manager.jsView file
10*/ L11: const axios = require("axios") L12: const fs = require("fs") L13: const path = require("path") L14: const FormData = require("form-data") L15: const crypto = require('crypto'); ... L44: let param = parseParam(args); L45: // 解码 Base64 密钥 L46: function aesEncrypt(data, key) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

api_manager.jsView on unpkg · L10
bin/jsapi.jsView file
6const path = require("path") L7: const pkg = require("../package.json") L8: const config = require("../src/config") ... L13: input: process.stdin, L14: output: process.stdout, L15: }) ... L31: rl.close() L32: process.stdout.write("\n") L33: resolve(answer) ... L219: .command("init [shell]") L220: .description("初始化 shell 集成,提示符显示当前服务器 (自动检测或指定 powershell/bash/zsh)") L221: .action((shell) => {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/jsapi.jsView on unpkg · L6
src/config.jsView file
matchType = previous_version_dangerous_delta matchedPackage = datpath@1.0.3 matchedIdentity = npm:ZGF0cGF0aA:1.0.3 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/config.jsView on unpkg

Findings

1 Critical4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/config.js
MediumSecret Patterntest_crypto.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/jsapi.js
LowScripts Present
LowWeak Cryptoapi_manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings