AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious package behavior was found. A serious runtime auth weakness is present because JWT payloads appear accepted without signature verification.
Decision evidence
public snapshot- ltits/modules/Auth.js decodes JWTs and fetches a JWK set but does not call jwt.verify or otherwise verify the signature before returning payload.
- ltits/provider/provider.js uses Auth.validateToken results to create sessions and accept notice tokens, so forged LTI tokens may be trusted at runtime.
- Runtime network calls use platform-supplied URLs for JWK, access token, PNS, NRPS, eula, and report endpoints.
- package.json has only a prepare build script; no preinstall/install/postinstall hook.
- ltits/index.js only constructs and exports a Provider instance.
- No child_process, eval/vm/Function, native binary loading, persistence, destructive filesystem behavior, or credential harvesting found.
- Database writes are package-aligned LTI provider state and key storage after user setup/runtime requests.
- Network activity is user/runtime-invoked LTI/OIDC platform integration, not hardcoded exfiltration.
Source & flagged code
2 flagged · loading sourceltits/modules/Auth.js decodes JWTs and fetches a JWK set but does not call jwt.verify or otherwise verify the signature before returning payload.
ltits/modules/Auth.jsView on unpkgltits/provider/provider.js uses Auth.validateToken results to create sessions and accept notice tokens, so forged LTI tokens may be trusted at runtime.
ltits/provider/provider.jsView on unpkg