registry  /  php-app  /  0.2.0

php-app@0.2.0

PHP loyihasini desktop ilovaga aylantiruvchi CLI (PHP, HTML, CSS, JS)

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Install-time code downloads and extracts a platform-specific PHP runtime, then later runs it for user-invoked projects. The archive is accepted without cryptographic integrity verification, leaving a remote-code supply-chain risk if the source is compromised.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall downloads the runtime; php-app run launches it.
Impact
A substituted download could execute as the installing user when the CLI launches PHP.
Mechanism
unsigned remote PHP runtime download and later child-process execution
Rationale
The package performs an unverified install-time executable download, so it warrants a warning. Its behavior otherwise aligns with its advertised PHP desktop runtime and no concrete malicious behavior was confirmed.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-php.jsruntime/main.jsruntime/preload.jslib/phpapp.phplib/router.phpbin/php-app.jsruntime/php-bin/
Network endpoints1
dl.static-php.dev/static-php-cli/common/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json defines postinstall.
  • scripts/postinstall.js calls fetchPhp during install.
  • scripts/fetch-php.js downloads a platform PHP archive without a checksum/signature.
  • runtime/main.js later executes the downloaded PHP binary.
  • runtime/main.js exposes privileged Electron actions to the launched project via tokenized localhost control API.
Evidence against
  • No credential, environment, or file harvesting was found.
  • No exfiltration endpoint or outbound upload behavior was found.
  • The download target is a PHP runtime matching the package's stated desktop-PHP purpose.
  • The control and UI servers bind only to 127.0.0.1 and use random tokens.
  • No AI-agent configuration, hooks, or foreign control-surface writes were found.
  • CLI update/install behavior is explicit-user-command only.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 39.6 KB of source, external domains: 127.0.0.1, dl.static-php.dev, nodejs.org, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/php-app.jsView file
4const fs = require('fs'); L5: const { spawn, spawnSync } = require('child_process'); L6: const os = require('os');
High
Child Process

Package source references child process execution.

bin/php-app.jsView on unpkg · L4
2'use strict'; L3: const path = require('path'); L4: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/php-app.jsView on unpkg · L2
runtime/main.jsView file
matchType = previous_version_dangerous_delta matchedPackage = php-app@0.1.5 matchedIdentity = npm:cGhwLWFwcA:0.1.5 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/main.jsView on unpkg
202const env = { L203: ...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d));
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/main.jsView on unpkg · L202
203...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d)); L212: phpProc.stderr.on('data', (d) => process.stdout.write('[php] ' + d));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

runtime/main.jsView on unpkg · L203
scripts/fetch-php.jsView file
4const os = require('os'); L5: const { spawnSync } = require('child_process'); L6: L7: const PHP_VERSION = process.env.PHPAPP_PHP_VERSION || '8.4.23'; L8: ... L19: async function fetchPhp(root) { L20: const key = `${process.platform}-${process.arch}`; L21: const m = MAP[key]; ... L28: const fname = `php-${PHP_VERSION}-cli-${m.remote}.${m.arc}`; L29: const url = `https://dl.static-php.dev/static-php-cli/common/${fname}`; L30: fs.mkdirSync(destDir, { recursive: true }); ... L41:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/fetch-php.jsView on unpkg · L4
bin/fetch-php.shView file
path = bin/fetch-php.sh kind = build_helper sizeBytes = 851 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/fetch-php.shView on unpkg

Findings

1 Critical5 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltaruntime/main.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/php-app.js
HighSame File Env Network Executionruntime/main.js
HighCommand Output Exfiltrationruntime/main.js
HighSandbox Evasion Gated Capabilityscripts/fetch-php.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/php-app.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/fetch-php.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings