registry  /  mftsccs-browser  /  2.1.240-beta

mftsccs-browser@2.1.240-beta

Full Pack of concept and connection system

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time script copies a package-owned service worker bundle into the consumer app public directory. This is a real lifecycle/platform-extension risk, but source inspection did not show malicious exfiltration or remote code execution.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime activation requires app service-worker use
Impact
Consumer project public/serviceWorker.bundle.js is overwritten; runtime service worker can observe failed fetch metadata and relay it to the app client
Mechanism
install-time service worker file copy plus runtime fetch/message handling
Rationale
The package performs unconsented install-time project mutation by writing a service worker asset, which warrants a warning. Static inspection did not find concrete malicious behavior such as credential exfiltration, destructive actions, persistence beyond the app-owned service worker asset, or remote payload execution.
Evidence
package.jsonscripts/postinstall.jsdist/serviceWorker.bundle.jsdist/main.bundle.jsREADME.mdpublic/serviceWorker.bundle.js
Network endpoints5
ai.freeschema.comdevai.freeschema.com/v1/get-frontend-anomaly-parameterslogdev.freeschema.comcdn.boomconcole.com/freeschema/www.google.com/recaptcha/api.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node ./scripts/postinstall.js
  • scripts/postinstall.js creates consuming project public/ and overwrites public/serviceWorker.bundle.js
  • dist/serviceWorker.bundle.js installs/activates a service worker and handles fetch/message events
  • service worker 401 handler posts request url, headers, and JSON body back to the client page
Evidence against
  • No child_process, shell execution, eval, native binary, or dynamic remote payload loading found
  • Network calls in dist are API/client configured or package-aligned defaults for freeschema/logging/recaptcha/CDN
  • No credential harvesting or exfiltration to attacker-controlled fixed endpoint confirmed
  • README documents optional service worker mode and backend/client URL configuration
Behavioral surface
Source
FilesystemNetwork
Supply chain
MinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.04 MB of source, external domains: ai.freeschema.com, cdn.boomconcole.com, logdev.freeschema.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/types/Api/Signup.d.tsView file
22patternName = generic_password severity = medium line = 22 matchedText = * pass...23",
Medium
Secret Pattern

Hardcoded password in dist/types/Api/Signup.d.ts

dist/types/Api/Signup.d.tsView on unpkg · L22
55patternName = generic_password severity = medium line = 55 matchedText = * pass...ss",
Medium
Secret Pattern

Hardcoded password in dist/types/Api/Signup.d.ts

dist/types/Api/Signup.d.tsView on unpkg · L55
dist/types/Api/Signin.d.tsView file
16patternName = generic_password severity = medium line = 16 matchedText = * pass...123"
Medium
Secret Pattern

Hardcoded password in dist/types/Api/Signin.d.ts

dist/types/Api/Signin.d.tsView on unpkg · L16

Findings

1 High5 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumSecret Patterndist/types/Api/Signup.d.ts
MediumSecret Patterndist/types/Api/Signup.d.ts
MediumSecret Patterndist/types/Api/Signin.d.ts
LowScripts Present
LowFilesystem
LowUrl Strings