registry  /  minitest2.0  /  0.0.11

minitest2.0@0.0.11

dkajsdasjkdasldhasldhlasid

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Vue/Vite app with normal runtime API calls and a build-only Vite plugin that mutates package-owned build/config artifacts.

Static reason
One or more suspicious static signals were detected.
Trigger
User-run dev/build/runtime app usage only; no npm lifecycle trigger.
Impact
No evidence of exfiltration, persistence, destructive behavior, or install-time mutation.
Mechanism
Benign frontend API client and build packaging helper.
Rationale
Static inspection shows a conventional Vue/Vite frontend package; scanner network and secret hints map to ordinary app configuration, repository/registry URLs, and placeholder API values. There is no automatic install/import-time malicious behavior or unconsented control-surface mutation.
Evidence
package.json.env.productionsrc/utils/request.tssrc/config/env.tsplugins/bump-version.tsvite.config.tssrc/utils/auth-token.tssrc/api/user.tssrc/core/mxApi/index.tsdocs/jsapi.jssrc/config/plugin.properties.prosrc/config/plugin.properties.testsrc/config/config.propertiesdist/www/config.propertiesdist/plugin.propertiesdist/dist_*.zip
Network endpoints4
api.example.com10.56.183.104:8090registry.npmjs.orggithub.com/ruiange/mini2.0.git

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks and no bin entrypoint.
    • package.json scripts are developer Vite/build/lint/publish commands, not automatic install-time execution.
    • .env.production contains Vite config only: production mode, https://api.example.com, timeout; no real credential observed.
    • src/utils/request.ts uses axios against configured app API and attaches stored auth tokens to same app API requests.
    • plugins/bump-version.ts is a Vite build plugin that updates package-owned config and dist zip files only when build runs.
    • No AI-agent control-surface writes, credential harvesting, shell execution, eval, or remote payload loading found.
    Behavioral surface
    Source
    FilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 33 file(s), 122 KB of source, external domains: 10.56.183.104

    Source & flagged code

    1 flagged · loading source
    .env.productionView file
    patternName = blocked_file severity = critical matchedText = .env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .env.productionView on unpkg

    Findings

    1 Critical1 Medium4 Low
    CriticalCritical Secret.env.production
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings