registry  /  php-app  /  0.5.0

php-app@0.5.0

PHP loyihasini desktop ilovaga aylantiruvchi CLI (PHP, HTML, CSS, JS)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code downloads and extracts an unsigned native PHP runtime. The runtime is later executed to serve the user-selected PHP project locally.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` fetches the archive; `php-app run` starts the bundled PHP binary.
Impact
A compromised download endpoint or substituted archive could execute arbitrary code as the installing user.
Mechanism
Unsigned install-time native binary download and later execution.
Rationale
The package has an unverified install-time native-runtime fetch that becomes executable, warranting a warning. Source inspection found no credential theft, exfiltration, stealth persistence, destructive action, or foreign AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-php.jsruntime/main.jsbin/php-app.jslib/phpapp.phpruntime/php-bin/<platform>/php~/.php-app-update.json
Network endpoints4
dl.static-php.dev/static-php-cli/common/${fname}registry.npmjs.org/php-app/latest127.0.0.1:${controlPort}127.0.0.1:${phpPort}

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall`.
  • `scripts/postinstall.js` calls `fetchPhp()` during installation.
  • `scripts/fetch-php.js` downloads a platform PHP archive from `dl.static-php.dev`.
  • Downloaded archive is extracted into `runtime/php-bin` without a checksum or signature verification.
  • `runtime/main.js` selects and spawns that downloaded PHP binary.
Evidence against
  • Download URL and destination are explicit, platform-mapped PHP runtime setup.
  • Postinstall does not harvest files, credentials, or environment data for exfiltration.
  • Observed network use is limited to the PHP binary host, npm update check, and localhost IPC.
  • Control server binds only to `127.0.0.1` and requires a random token.
  • No eval, remote JavaScript loading, AI-agent configuration mutation, or destructive payload was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 41.3 KB of source, external domains: 127.0.0.1, dl.static-php.dev, nodejs.org, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/php-app.jsView file
4const fs = require('fs'); L5: const { spawn, spawnSync } = require('child_process'); L6: const os = require('os');
High
Child Process

Package source references child process execution.

bin/php-app.jsView on unpkg · L4
2'use strict'; L3: const path = require('path'); L4: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/php-app.jsView on unpkg · L2
runtime/main.jsView file
202const env = { L203: ...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d));
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/main.jsView on unpkg · L202
203...process.env, L204: PHPAPP_CONTROL_URL: `http://127.0.0.1:${controlPort}`, L205: PHPAPP_TOKEN: CONTROL_TOKEN, ... L209: const router = path.join(libDir, 'router.php'); L210: phpProc = spawn(phpBin, ['-d', 'include_path=' + libDir + path.delimiter + '.', '-S', `127.0.0.1:${phpPort}`, '-t', docroot, router], { env, cwd: docroot }); L211: phpProc.stdout.on('data', (d) => process.stdout.write('[php] ' + d)); L212: phpProc.stderr.on('data', (d) => process.stdout.write('[php] ' + d));
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

runtime/main.jsView on unpkg · L203
scripts/fetch-php.jsView file
4const os = require('os'); L5: const { spawnSync } = require('child_process'); L6: L7: const PHP_VERSION = process.env.PHPAPP_PHP_VERSION || '8.4.23'; L8: ... L19: async function fetchPhp(root) { L20: const key = `${process.platform}-${process.arch}`; L21: const m = MAP[key]; ... L28: const fname = `php-${PHP_VERSION}-cli-${m.remote}.${m.arc}`; L29: const url = `https://dl.static-php.dev/static-php-cli/common/${fname}`; L30: fs.mkdirSync(destDir, { recursive: true }); ... L41:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/fetch-php.jsView on unpkg · L4
bin/fetch-php.shView file
path = bin/fetch-php.sh kind = build_helper sizeBytes = 851 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/fetch-php.shView on unpkg

Findings

5 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/php-app.js
HighSame File Env Network Executionruntime/main.js
HighCommand Output Exfiltrationruntime/main.js
HighSandbox Evasion Gated Capabilityscripts/fetch-php.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/php-app.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/fetch-php.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings