AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious execution surface was found. The main residual risk is an accidentally packaged .env with credential-looking values, not code that harvests or exfiltrates data.
Static reason
One or more suspicious static signals were detected.
Trigger
importing package or user-called database connection helpers
Impact
Potential credential exposure from packaged .env; no confirmed malware behavior
Mechanism
mongoose model exports and user-supplied MongoDB connection helpers
Attack narrative
Static inspection shows a database model package that loads dotenv and exports many Mongoose schemas plus connection helpers. The suspicious finding is the included .env file with credential-looking fields, but the code does not read those exact key names for MongoDB connection and contains no install hook, shell execution, filesystem mutation, credential harvesting, or exfiltration path.
Rationale
This is not confirmed malicious by source behavior, but publishing a .env with credential-looking values is a real package hygiene and leakage risk. Mark warn rather than block.
Evidence
package.jsonindex.js.envsrc/models/zohoIntegration.jssrc/models/facility_etims_config.js
Network endpoints3
mongodb://<user-supplied-host>:<user-supplied-port>www.zohoapis.com/books/v3102.217.144.50:8888/api/v1/
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- .env is packaged and contains username/password-looking values
- index.js imports dotenv at module load, though its MongoDB env keys differ from the packaged .env keys
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- index.js exports mongoose connection helpers and model registry only
- No child_process, eval/vm, filesystem writes, or destructive code found
- Dynamic require in index.js is limited to local model schema files
- Network use is package-aligned MongoDB connection construction plus schema default URLs
Behavioral surface
DynamicRequireEnvironmentVars
UrlStrings
Source & flagged code
2 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: Password=<redacted:10 value>
Critical
index.jsView file
1const mongoose = require("mongoose");
L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Findings
1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings