registry  /  php-app  /  0.3.0

php-app@0.3.0

PHP loyihasini desktop ilovaga aylantiruvchi CLI (PHP, HTML, CSS, JS)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Install-time code fetches a platform-specific PHP executable archive, extracts it into the package directory, and marks it executable. The downloaded binary is subsequently launched when the user runs the PHP desktop application.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the archive; `php-app run` or packaged runtime launches the downloaded PHP binary.
Impact
A compromised or substituted download endpoint can supply code executed as the installing user's account when the package is run.
Mechanism
Unsigned remote native-binary bootstrap followed by local execution.
Rationale
The package has a concrete unverified remote native-binary bootstrap at install time, creating material supply-chain risk. Source otherwise aligns with a PHP/Electron application and shows no direct malicious payload or data theft.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-php.jsruntime/main.jsbin/php-app.jslib/router.phpruntime/php-bin/<platform>/php~/.php-app-update.json
Network endpoints4
dl.static-php.dev/static-php-cli/common/php-<version>-cli-<platform>.tar.gzregistry.npmjs.org/php-app/latest127.0.0.1:<controlPort>127.0.0.1:<phpPort>

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall`.
  • `scripts/postinstall.js` invokes PHP downloader during install.
  • `scripts/fetch-php.js` downloads and extracts a native PHP archive without checksum/signature verification.
  • Downloaded runtime is made executable under `runtime/php-bin/` and later spawned by `runtime/main.js`.
Evidence against
  • No credential harvesting, secret-file reads, or outbound data exfiltration found.
  • Runtime HTTP services bind only to `127.0.0.1` and require random tokens.
  • CLI network use is limited to package update metadata; project actions are user-invoked.
  • No AI-agent configuration, VCS-hook, shell-profile, or broad persistence writes found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 41.2 KB of source, external domains: 127.0.0.1, dl.static-php.dev, nodejs.org, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/php-app.jsView file
4const fs = require('fs'); L5: const { spawn, spawnSync } = require('child_process'); L6: const os = require('os');
High
Child Process

Package source references child process execution.

bin/php-app.jsView on unpkg · L4
2'use strict'; L3: const path = require('path'); L4: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/php-app.jsView on unpkg · L2
runtime/main.jsView file
202const env = { L203: ...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d));
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/main.jsView on unpkg · L202
203...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d)); L212: phpProc.stderr.on('data', (d) => process.stdout.write('[php] ' + d));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

runtime/main.jsView on unpkg · L203
scripts/fetch-php.jsView file
4const os = require('os'); L5: const { spawnSync } = require('child_process'); L6: L7: const PHP_VERSION = process.env.PHPAPP_PHP_VERSION || '8.4.23'; L8: ... L19: async function fetchPhp(root) { L20: const key = `${process.platform}-${process.arch}`; L21: const m = MAP[key]; ... L28: const fname = `php-${PHP_VERSION}-cli-${m.remote}.${m.arc}`; L29: const url = `https://dl.static-php.dev/static-php-cli/common/${fname}`; L30: fs.mkdirSync(destDir, { recursive: true }); ... L41:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/fetch-php.jsView on unpkg · L4
bin/fetch-php.shView file
path = bin/fetch-php.sh kind = build_helper sizeBytes = 851 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/fetch-php.shView on unpkg

Findings

5 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/php-app.js
HighSame File Env Network Executionruntime/main.js
HighCommand Output Exfiltrationruntime/main.js
HighSandbox Evasion Gated Capabilityscripts/fetch-php.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/php-app.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/fetch-php.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings