registry  /  php-app  /  0.4.0

php-app@0.4.0

PHP loyihasini desktop ilovaga aylantiruvchi CLI (PHP, HTML, CSS, JS)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install automatically fetches and extracts a native PHP runtime into the package directory. A later user `php-app run` launches that runtime.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall, then explicit `php-app run`
Impact
A compromised or substituted archive could execute as the installing user when the CLI later runs.
Mechanism
unverified remote native-runtime bootstrap and execution
Rationale
The package is not conclusively malicious, but its automatic unsigned native binary download and later execution is a material supply-chain risk. The lifecycle behavior warrants a warning rather than a publish block.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-php.jsruntime/main.jsbin/php-app.jslib/router.phpruntime/php-bin/${platform}/php~/.php-app-update.json
Network endpoints4
dl.static-php.dev/static-php-cli/common/${fname}registry.npmjs.org/php-app/latest127.0.0.1:${controlPort}127.0.0.1:${phpPort}

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/postinstall.js` automatically.
  • `scripts/fetch-php.js` downloads a platform PHP archive during postinstall.
  • Download URL uses `PHPAPP_PHP_VERSION` and has no checksum or signature verification.
  • Archive is extracted into `runtime/php-bin/*` and later executed by `runtime/main.js`.
Evidence against
  • Network destination is a fixed static-PHP distribution host.
  • `bin/php-app.js` network check only queries npm for update notices.
  • `runtime/main.js` HTTP services bind to `127.0.0.1` and use random tokens.
  • No source evidence of credential harvesting, external exfiltration, AI-agent writes, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 41.2 KB of source, external domains: 127.0.0.1, dl.static-php.dev, nodejs.org, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/php-app.jsView file
4const fs = require('fs'); L5: const { spawn, spawnSync } = require('child_process'); L6: const os = require('os');
High
Child Process

Package source references child process execution.

bin/php-app.jsView on unpkg · L4
2'use strict'; L3: const path = require('path'); L4: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/php-app.jsView on unpkg · L2
runtime/main.jsView file
202const env = { L203: ...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d));
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/main.jsView on unpkg · L202
203...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d)); L212: phpProc.stderr.on('data', (d) => process.stdout.write('[php] ' + d));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

runtime/main.jsView on unpkg · L203
scripts/fetch-php.jsView file
4const os = require('os'); L5: const { spawnSync } = require('child_process'); L6: L7: const PHP_VERSION = process.env.PHPAPP_PHP_VERSION || '8.4.23'; L8: ... L19: async function fetchPhp(root) { L20: const key = `${process.platform}-${process.arch}`; L21: const m = MAP[key]; ... L28: const fname = `php-${PHP_VERSION}-cli-${m.remote}.${m.arc}`; L29: const url = `https://dl.static-php.dev/static-php-cli/common/${fname}`; L30: fs.mkdirSync(destDir, { recursive: true }); ... L41:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/fetch-php.jsView on unpkg · L4
bin/fetch-php.shView file
path = bin/fetch-php.sh kind = build_helper sizeBytes = 851 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/fetch-php.shView on unpkg

Findings

5 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/php-app.js
HighSame File Env Network Executionruntime/main.js
HighCommand Output Exfiltrationruntime/main.js
HighSandbox Evasion Gated Capabilityscripts/fetch-php.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/php-app.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/fetch-php.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings