registry  /  payservedb  /  9.2.7

payservedb@9.2.7

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious execution surface was found. The main residual risk is an accidentally packaged .env with credential-looking values, not code that harvests or exfiltrates data.

Static reason
One or more suspicious static signals were detected.
Trigger
importing package or user-called database connection helpers
Impact
Potential credential exposure from packaged .env; no confirmed malware behavior
Mechanism
mongoose model exports and user-supplied MongoDB connection helpers
Attack narrative
Static inspection shows a database model package that loads dotenv and exports many Mongoose schemas plus connection helpers. The suspicious finding is the included .env file with credential-looking fields, but the code does not read those exact key names for MongoDB connection and contains no install hook, shell execution, filesystem mutation, credential harvesting, or exfiltration path.
Rationale
This is not confirmed malicious by source behavior, but publishing a .env with credential-looking values is a real package hygiene and leakage risk. Mark warn rather than block.
Evidence
package.jsonindex.js.envsrc/models/zohoIntegration.jssrc/models/facility_etims_config.js
Network endpoints3
mongodb://<user-supplied-host>:<user-supplied-port>www.zohoapis.com/books/v3102.217.144.50:8888/api/v1/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • .env is packaged and contains username/password-looking values
  • index.js imports dotenv at module load, though its MongoDB env keys differ from the packaged .env keys
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • index.js exports mongoose connection helpers and model registry only
  • No child_process, eval/vm, filesystem writes, or destructive code found
  • Dynamic require in index.js is limited to local model schema files
  • Network use is package-aligned MongoDB connection construction plus schema default URLs
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 225 file(s), 482 KB of source, external domains: 102.217.144.50, example.com, www.zohoapis.com

Source & flagged code

2 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: Password=<redacted:10 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
index.jsView file
1const mongoose = require("mongoose"); L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L1

Findings

1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings