registry  /  payservedb  /  9.2.3

payservedb@9.2.3

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network behavior is limited to user-invoked MongoDB connection helpers and model config defaults aligned with a database model package.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing package loads model definitions; calling exported connect helpers opens MongoDB connections.
Impact
No credential harvesting, exfiltration, persistence, or destructive behavior identified.
Mechanism
Mongoose model registry and user-invoked database connection helpers
Rationale
Source inspection supports a benign Mongoose schema/database helper package; suspicious scanner hits are package-aligned dotenv/env use, local requires, and a bundled secret-like .env without an exfiltration mechanism. No lifecycle execution or concrete attack behavior was found.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.jssrc/models/pendingCredentials.js
Network endpoints3
mongodb://<caller-or-env-provided-host>:<port>/<dbName>102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • .env ships credential-like keys, but names do not match code's MONGODB_* reads and no exfil path was found.
  • src/models/facility_etims_config.js contains default eTIMS URL/credentials, but only returns config data from a model helper.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • index.js only loads dotenv, exports Mongoose models, and opens MongoDB connections when exported functions are called.
  • Dynamic require in index.js is limited to local model definition map entries.
  • rg found no child_process, eval/vm/Function, filesystem writes, destructive actions, or outbound HTTP request code in runtime JS.
  • 224 src/models files are Mongoose schemas/models, with no import-time attack behavior observed.
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 225 file(s), 481 KB of source, external domains: 102.217.144.50, example.com, www.zohoapis.com

Source & flagged code

2 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: Password=<redacted:10 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
index.jsView file
1const mongoose = require("mongoose"); L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings