registry  /  minitest2.0  /  0.0.14

minitest2.0@0.0.14

dkajsdasjkdasldhasldhlasid

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The app performs configured backend API requests and native-app authentication during normal runtime.

Static reason
One or more suspicious static signals were detected.
Trigger
User opens the Vue app in its supported native host or submits the login form.
Impact
Normal application authentication and business API access; no confirmed package-side exfiltration or persistence.
Mechanism
Configured Axios requests plus host-provided token login.
Rationale
Source inspection shows a Vue business application with ordinary configured API/authentication flows. The static network and secret hints are explained by API configuration and a non-secret environment URL; no concrete malicious behavior was found.
Evidence
package.jsonsrc/views/login/index.vuesrc/utils/request.tssrc/utils/auth-token.tssrc/core/mxApi/index.tsplugins/bump-version.tssrc/main.tssrc/core/request/index.tssrc/config/env.tsvite.config.ts.env.development.env.test.env.production
Network endpoints2
10.56.183.104:8090api.example.com

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Native runtime auto-reads an app token via `MXCommon.getEncryptString` in `src/core/mxApi/index.ts`.
  • `src/views/login/index.vue` uses that token for an automatic native-app login request.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Network code in `src/utils/request.ts` is an Axios API client using configured base URLs and authenticated business endpoints.
  • The native token path is confined to the declared login flow; no unrelated exfiltration target is present.
  • `.env.production` contains a configured API base URL, not an embedded credential.
  • No child-process execution, eval/vm use, native binaries, payload archives, or AI-agent control-surface writes were found.
  • Build-time filesystem writes in `plugins/bump-version.ts` only version and package the project output.
Behavioral surface
Source
FilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 131 KB of source, external domains: 10.56.183.104

Source & flagged code

1 flagged · loading source
.env.productionView file
patternName = blocked_file severity = critical matchedText = .env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.productionView on unpkg

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env.production
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings