registry  /  datpath  /  1.0.8

datpath@1.0.8

datpath - 代码分发与管理工具

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time attack was found, but the CLI has user-invoked collection and transmission of hardware/user identifiers. Shell profile mutation is explicit via `datpath init`, not automatic during npm install.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs datpath CLI commands after login, especially login/ping/list/env or datpath init
Impact
Configured server receives local device identifiers; init modifies the user's shell startup profile when requested.
Mechanism
user-invoked device fingerprint transmission and explicit shell profile integration
Rationale
The package is not malicious by LPM blocking criteria because risky behavior is explicit/user-invoked and aligned with a code distribution CLI, with no lifecycle hook or hidden import-time execution. It remains suspicious due to hardware fingerprint collection sent over the CLI protocol and explicit shell profile persistence.
Evidence
package.jsonbin/jsapi.jssrc/api.jssrc/config.jssrc/keychain.jssrc/device.jsapi_manager.js~/.datpath/config.json~/.datpath/.masterkey~/.bashrc~/.zshrc~/Documents/WindowsPowerShell/Microsoft.PowerShell_profile.ps1~/Documents/PowerShell/Microsoft.PowerShell_profile.ps1
Network endpoints3
${serverUrl}/remote/cli/requestapi-vip1.datpath.com/v2/codeup/default/0/jsapi/signature/checkapi-vip1.datpath.com/v2/codeup/default/0/jsapi/snapshot/push

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/device.js collects username, MAC, disk, BIOS, and motherboard identifiers via execSync/read commands
  • src/api.js attaches getDeviceInfo() to every command and POSTs to `${serverUrl}/remote/cli/request`
  • bin/jsapi.js `init` explicitly appends shell integration lines to .bashrc/.zshrc/PowerShell profile
  • api_manager.js contains hardcoded datpath.com upload endpoints and encryption key, but is not package main/bin
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/jsapi.js actions require explicit CLI commands such as login/init/push/pull/env
  • Network target for main CLI is user-supplied login serverUrl, not a hidden fixed exfiltration host
  • src/index.js only exports modules; no import-time network or filesystem mutation observed
  • Credential storage is under ~/.datpath and uses local keychain/masterkey encryption
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 69.1 KB of source, external domains: api-vip1.datpath.com

Source & flagged code

4 flagged · loading source
test_crypto.jsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pa...Xk="
Medium
Secret Pattern

Package contains a possible secret pattern.

test_crypto.jsView on unpkg · L3
api_manager.jsView file
10*/ L11: const axios = require("axios") L12: const fs = require("fs") L13: const path = require("path") L14: const FormData = require("form-data") L15: const crypto = require('crypto'); ... L44: let param = parseParam(args); L45: // 解码 Base64 密钥 L46: function aesEncrypt(data, key) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

api_manager.jsView on unpkg · L10
bin/jsapi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = datpath@1.0.5 matchedIdentity = npm:ZGF0cGF0aA:1.0.5 similarity = 0.625 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/jsapi.jsView on unpkg
6const path = require("path") L7: const pkg = require("../package.json") L8: const config = require("../src/config") ... L13: input: process.stdin, L14: output: process.stdout, L15: }) ... L31: rl.close() L32: process.stdout.write("\n") L33: resolve(answer) ... L256: .command("init [shell]") L257: .description("初始化 shell 集成,提示符显示当前服务器 (自动检测或指定 powershell/bash/zsh)") L258: .action((shell) => {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/jsapi.jsView on unpkg · L6

Findings

1 High4 Medium5 Low
HighPrevious Version Dangerous Deltabin/jsapi.js
MediumSecret Patterntest_crypto.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/jsapi.js
LowScripts Present
LowWeak Cryptoapi_manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings