registry  /  payservedb  /  9.2.2

payservedb@9.2.2

AI Security Review

scanned 13d ago · by lpm-firewall-ai

The main risk is accidental credential exposure via a packaged .env and import-time dotenv loading, not confirmed malware. Runtime network behavior is limited to user-invoked MongoDB connection helpers and package-aligned model configuration defaults.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package loads dotenv; calling exported DB helpers opens MongoDB connections.
Impact
Potential leakage or unintended use of bundled credentials; no confirmed attack execution against consumers.
Mechanism
packaged secret exposure and user-invoked database connection helpers
Attack narrative
On import, index.js loads dotenv, so the packaged .env credentials can enter the consumer process environment. The package otherwise exports many Mongoose models and user-invoked connection helpers; no install-time execution, shell execution, file mutation, or outbound exfiltration logic was found.
Rationale
Source inspection supports a warn-level secret exposure/unsafe packaging issue, but not malicious behavior against package consumers. The suspicious dynamic require hint is explained by static local model registration for Mongoose schemas.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.jssrc/models/pendingCredentials.js
Network endpoints2
102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • .env is packaged and contains apparent MongoDB credentials.
  • index.js calls require("dotenv").config() at import time, loading packaged .env values into process.env.
  • index.js exports DB connection helpers that build MongoDB URLs from supplied args or process.env.
  • src/models/facility_etims_config.js includes default ETIMS URL and fallback admin/admin credentials.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and only main index.js.
  • No child_process, eval/vm/Function, filesystem writes, native binaries, or shell scripts found.
  • Model files are predominantly mongoose schemas; requires are static and package-local except mongoose/moment-timezone.
  • No confirmed credential harvesting or exfiltration endpoint was found.
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 225 file(s), 481 KB of source, external domains: 102.217.144.50, example.com, www.zohoapis.com

Source & flagged code

2 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: Password=<redacted:10 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
index.jsView file
1const mongoose = require("mongoose"); L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings