registry  /  payservedb  /  9.2.6

payservedb@9.2.6

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Mongoose model/connection library; the bundled .env is a secret-leak concern, not active malware by itself.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports package and explicitly calls exported connection helpers.
Impact
Connects to caller-supplied or environment-configured MongoDB databases; no credential harvesting or exfiltration found.
Mechanism
Mongoose model registration and MongoDB connection helpers
Rationale
Static inspection shows no lifecycle hook, shell execution, file mutation, obfuscation, or exfiltration; suspicious signals are explained by a database model package and an accidentally bundled .env credential. The hardcoded/default endpoints and credential-bearing schemas are package-aligned configuration, not an attack path.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.jssrc/models/pendingCredentials.js
Network endpoints2
102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • .env contains bundled MongoDB-looking credentials, but no code exfiltrates them.
  • index.js calls require("dotenv").config() and reads MongoDB env vars for user-invoked connections.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • index.js exports mongoose connection helpers and many local model requires; no install-time execution.
  • rg found no child_process, eval/Function, fs writes, native binaries, or AI-agent control file writes.
  • Dynamic require in index.js is limited to static local model paths from moveInModelDefs.
  • Network behavior is package-aligned MongoDB connection creation using caller/env-supplied host and credentials.
  • Model files inspected are Mongoose schemas/methods, with package-aligned config URLs only.
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 225 file(s), 482 KB of source, external domains: 102.217.144.50, example.com, www.zohoapis.com

Source & flagged code

2 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: Password=<redacted:10 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
index.jsView file
1const mongoose = require("mongoose"); L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings