AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious install or import-time attack surface. The package is a Vue/Vite app with runtime API requests and a build-time packaging plugin.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the web app or explicitly runs a Vite build script
Impact
No evidence of credential exfiltration, persistence, destructive behavior, or agent control-surface mutation
Mechanism
app-aligned API client and build artifact generation
Rationale
Static inspection found a normal Vue/Vite application: network calls are runtime backend requests, and the only filesystem mutation is an explicit build plugin that packages app artifacts. Suspicious scanner hits are explained by app configuration, OAuth client parameters, and debugging logs rather than an npm supply-chain attack.
Evidence
package.json.env.production.env.test.env.developmentvite.config.tsplugins/bump-version.tssrc/utils/request.tssrc/utils/auth-token.tssrc/api/user.tssrc/core/mxApi/index.tssrc/stores/user.tssrc/config/plugin.properties.prosrc/config/plugin.properties.testdist/plugin.propertiesdist/dist_<version>.zipdist/www/config.properties
Network endpoints5
api.example.com10.56.183.104:809010.56.183.104:8090/omsregistry.npmjs.orggithub.com/ruiange/mini2.0.git
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/core/mxApi/index.ts logs native app token and request headers/data to console during runtime debugging
- plugins/bump-version.ts writes plugin.properties and a dist zip during Vite build
- src/stores/user.ts persists auth token state in browser storage for the app
Evidence against
- package.json has no preinstall/install/postinstall hooks and no bin entry
- Network use is Vue app API traffic via configured VITE_API_BASE_URL, not install-time exfiltration
- No child_process, shell execution, eval, native addon, or remote payload loader found
- The .env.production value is https://api.example.com and not a real embedded secret
- loginApi uses a static OAuth client secret string for the app backend, not harvested credentials
- File writes are limited to explicit build plugin output/version bump behavior
Behavioral surface
FilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading source.env.productionView file
•patternName = blocked_file
severity = critical
matchedText = .env.production
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical1 Medium4 Low
CriticalCritical Secret.env.production
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings