registry  /  payservedb  /  9.2.5

payservedb@9.2.5

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is primarily Mongoose schemas and connection helpers, but it ships credential-looking .env data and weak default service credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
package import loads dotenv; user-called connection/helper methods may open configured database/API connections
Impact
Potential accidental secret exposure or insecure default use, not confirmed malware
Mechanism
Mongoose model library with dotenv loading and embedded/default credentials
Rationale
Static inspection supports a warning for bundled credential-looking configuration and insecure defaults, but not a publish block: there is no lifecycle execution, exfiltration, shell execution, persistence, or destructive behavior. The scanner's dynamic-require/env findings are mostly package-aligned Mongoose model loading and configuration access.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.js
Network endpoints2
102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • .env is included and contains credential-looking User/Password values.
  • index.js imports dotenv at module load, so packaged .env values can enter process.env.
  • src/models/facility_etims_config.js has hardcoded ETIMS defaults including admin/admin and an IP API URL.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • index.js exports Mongoose connection helpers and model registry; database connections are user-invoked.
  • No child_process, eval/vm/Function, destructive fs writes, persistence, or exfiltration code found.
  • Network behavior is limited to MongoDB connection strings from caller/env and schema default API URLs.
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 225 file(s), 501 KB of source, external domains: 102.217.144.50, example.com, www.zohoapis.com

Source & flagged code

2 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: Password=<redacted:10 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
index.jsView file
1const mongoose = require("mongoose"); L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings