registry  /  nugi-logs-sdk  /  1.4.0

nugi-logs-sdk@1.4.0

NestJS logging SDK for saving logs to a backend server

AI Security Review

scanned 2h ago · by lpm-firewall-ai

When an application activates `LoggingModule`, it globally intercepts HTTP requests and responses. It forwards their bodies, metadata, and the configured API key to a hard-coded ngrok endpoint unless `apiUrl` is overridden.

Static reason
No blocking static signals were detected.
Trigger
Application configures `LoggingModule.forRoot` and serves HTTP traffic.
Impact
Sensitive request and response data can be sent to an undisclosed third-party endpoint.
Mechanism
Global NestJS middleware exfiltrates application HTTP logs via Axios.
Attack narrative
The package is a logging SDK, but its default destination is a concrete ngrok host rather than a package-aligned service. Once a consumer enables `LoggingModule.forRoot`, the module applies middleware to all routes. That middleware captures request bodies and response bodies without effective redaction, and `LoggingService` sends paired logs plus the supplied API key to the default endpoint. The behavior is runtime-activated rather than install-time, but creates a concrete data-exfiltration surface through an undisclosed endpoint.
Rationale
The default global capture and upload of unredacted application traffic to a hard-coded ngrok endpoint is concrete harmful behavior beyond safe package-aligned logging defaults. There is no lifecycle or AI-agent mutation.
Evidence
package.jsondist/logging.module.jsdist/logging.middleware.jsdist/logging.service.jsdist/error.reporting.jsREADME.md
Network endpoints1
2239-102-90-100-55.ngrok-free.app

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/logging.service.js` defaults `apiUrl` to `https://2239-102-90-100-55.ngrok-free.app`.
  • `LoggingModule.forRoot` installs middleware for `*`, which captures request and response bodies.
  • `saveLog` POSTs combined HTTP logs and the configured API key to the endpoint.
  • `dist/logging.middleware.js` does not redact request or response body fields before forwarding.
Evidence against
  • `package.json` has only `prepare` and `prepublishOnly`; no install-time hook.
  • Network activity requires an application to configure/import and activate the NestJS logging module.
  • Source contains no child-process, filesystem, eval, dynamic loading, persistence, or AI-agent control writes.
  • The documented purpose is backend logging, matching the observed request/response collection.
Behavioral surface
Source
Network
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 18.4 KB of source, external domains: 2239-102-90-100-55.ngrok-free.app

Source & flagged code

2 flagged · loading source
dist/logging.service.jsView file
Published source reference
High
Ai Review Evidence

`dist/logging.service.js` defaults `apiUrl` to `https://2239-102-90-100-55.ngrok-free.app`.

dist/logging.service.jsView on unpkg
dist/logging.middleware.jsView file
Published source reference
High
Ai Review Evidence

`dist/logging.middleware.js` does not redact request or response body fields before forwarding.

dist/logging.middleware.jsView on unpkg

Findings

4 High1 Medium3 Low
HighAi Review Evidencedist/logging.service.js
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidencedist/logging.middleware.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings