registry  /  php-app  /  0.1.5

php-app@0.1.5

PHP loyihasini desktop ilovaga aylantiruvchi CLI (PHP, HTML, CSS, JS)

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Install-time code downloads and unpacks an executable PHP runtime without cryptographic integrity verification. The downloaded binary is later executed when the user runs the application.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`npm install` runs `postinstall`; later `php-app run` or packaged runtime launch executes PHP.
Impact
A compromised or substituted download can place an attacker-controlled executable in the package runtime.
Mechanism
Unverified remote binary staging and later execution.
Rationale
Source inspection does not establish intentional malware, but it confirms a postinstall remote executable staging path with insufficient integrity verification. This is a material supply-chain risk that warrants a warning rather than a publication block.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-php.jsruntime/main.jsbin/php-app.jslib/phpapp.phplib/router.phpruntime/preload.jsruntime/php-bin/<platform>/php
Network endpoints4
dl.static-php.dev/static-php-cli/common/...127.0.0.1:<controlPort>127.0.0.1:<phpPort>registry.npmjs.org/php-app/latest

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall`.
  • `scripts/postinstall.js` calls `fetchPhp` during installation.
  • `scripts/fetch-php.js` downloads a platform PHP archive from `https://dl.static-php.dev/static-php-cli/common/...`.
  • Downloaded archive has only size/magic-byte checks, no hash/signature verification, then `tar` extracts it into `runtime/php-bin/`.
  • `runtime/main.js` later spawns the downloaded PHP binary.
Evidence against
  • No credential, environment, or project-file exfiltration path found.
  • Network use in `runtime/main.js` is loopback-only (`127.0.0.1`) for the packaged PHP app bridge.
  • CLI update/network calls are user-invoked; no hidden endpoint or dynamic code evaluation found.
  • Filesystem mutations otherwise align with project creation/build output and runtime setup.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 35.1 KB of source, external domains: 127.0.0.1, dl.static-php.dev, nodejs.org, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/php-app.jsView file
matchType = previous_version_dangerous_delta matchedPackage = php-app@0.1.3 matchedIdentity = npm:cGhwLWFwcA:0.1.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/php-app.jsView on unpkg
4const fs = require('fs'); L5: const { spawn, spawnSync } = require('child_process'); L6: const os = require('os');
High
Child Process

Package source references child process execution.

bin/php-app.jsView on unpkg · L4
2'use strict'; L3: const path = require('path'); L4: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/php-app.jsView on unpkg · L2
runtime/main.jsView file
130const env = { L131: ...process.env, L132: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L133: PHPAPP_TOKEN: CONTROL_TOKEN, ... L137: const router = path.join(libDir, 'router.php'); L138: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L139: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d));
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/main.jsView on unpkg · L130
131...process.env, L132: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L133: PHPAPP_TOKEN: CONTROL_TOKEN, ... L137: const router = path.join(libDir, 'router.php'); L138: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L139: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d)); L140: phpProc.stderr.on('data', (d) => process.stdout.write('[php] ' + d));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

runtime/main.jsView on unpkg · L131
scripts/fetch-php.jsView file
4const os = require('os'); L5: const { spawnSync } = require('child_process'); L6: L7: const PHP_VERSION = process.env.PHPAPP_PHP_VERSION || '8.4.23'; L8: ... L19: async function fetchPhp(root) { L20: const key = `${process.platform}-${process.arch}`; L21: const m = MAP[key]; ... L28: const fname = `php-${PHP_VERSION}-cli-${m.remote}.${m.arc}`; L29: const url = `https://dl.static-php.dev/static-php-cli/common/${fname}`; L30: fs.mkdirSync(destDir, { recursive: true }); ... L41:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/fetch-php.jsView on unpkg · L4
bin/fetch-php.shView file
path = bin/fetch-php.sh kind = build_helper sizeBytes = 851 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/fetch-php.shView on unpkg

Findings

1 Critical5 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/php-app.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/php-app.js
HighSame File Env Network Executionruntime/main.js
HighCommand Output Exfiltrationruntime/main.js
HighSandbox Evasion Gated Capabilityscripts/fetch-php.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/php-app.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/fetch-php.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings