AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a Mongoose model/connection library; the bundled .env is a secret-leak concern, not active malware by itself.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports package and explicitly calls exported connection helpers.
Impact
Connects to caller-supplied or environment-configured MongoDB databases; no credential harvesting or exfiltration found.
Mechanism
Mongoose model registration and MongoDB connection helpers
Rationale
Static inspection shows no lifecycle hook, shell execution, file mutation, obfuscation, or exfiltration; suspicious signals are explained by a database model package and an accidentally bundled .env credential. The hardcoded/default endpoints and credential-bearing schemas are package-aligned configuration, not an attack path.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.jssrc/models/pendingCredentials.js
Network endpoints2
102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
- .env contains bundled MongoDB-looking credentials, but no code exfiltrates them.
- index.js calls require("dotenv").config() and reads MongoDB env vars for user-invoked connections.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- index.js exports mongoose connection helpers and many local model requires; no install-time execution.
- rg found no child_process, eval/Function, fs writes, native binaries, or AI-agent control file writes.
- Dynamic require in index.js is limited to static local model paths from moveInModelDefs.
- Network behavior is package-aligned MongoDB connection creation using caller/env-supplied host and credentials.
- Model files inspected are Mongoose schemas/methods, with package-aligned config URLs only.
Behavioral surface
DynamicRequireEnvironmentVars
UrlStrings
Source & flagged code
2 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: Password=<redacted:10 value>
Critical
index.jsView file
1const mongoose = require("mongoose");
L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Findings
1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings