AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is primarily Mongoose schemas and connection helpers, but it ships credential-looking .env data and weak default service credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
package import loads dotenv; user-called connection/helper methods may open configured database/API connections
Impact
Potential accidental secret exposure or insecure default use, not confirmed malware
Mechanism
Mongoose model library with dotenv loading and embedded/default credentials
Rationale
Static inspection supports a warning for bundled credential-looking configuration and insecure defaults, but not a publish block: there is no lifecycle execution, exfiltration, shell execution, persistence, or destructive behavior. The scanner's dynamic-require/env findings are mostly package-aligned Mongoose model loading and configuration access.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.js
Network endpoints2
102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- .env is included and contains credential-looking User/Password values.
- index.js imports dotenv at module load, so packaged .env values can enter process.env.
- src/models/facility_etims_config.js has hardcoded ETIMS defaults including admin/admin and an IP API URL.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- index.js exports Mongoose connection helpers and model registry; database connections are user-invoked.
- No child_process, eval/vm/Function, destructive fs writes, persistence, or exfiltration code found.
- Network behavior is limited to MongoDB connection strings from caller/env and schema default API URLs.
Behavioral surface
DynamicRequireEnvironmentVars
UrlStrings
Source & flagged code
2 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: Password=<redacted:10 value>
Critical
index.jsView file
1const mongoose = require("mongoose");
L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Findings
1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings