AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious npm install or import attack surface was found. The main risk is an accidentally published backend .env containing a MongoDB connection string.
Static reason
One or more suspicious static signals were detected.
Trigger
Running backend/index.js
Impact
Potential exposure or misuse of the packaged MongoDB URI; no source-level exfiltration behavior found.
Mechanism
dotenv-loaded MongoDB connection for feed API
Rationale
Static inspection shows an ordinary local feed app and no install-time/import-time malicious behavior, but the packaged backend .env contains a live-looking MONGO_URI secret. This warrants a warning for secret exposure rather than a malicious publish block.
Evidence
package.jsonbackend/package.jsonbackend/index.jsbackend/routes/feedsRoutes.jsbackend/models/feed.jsfrontend/package.jsonfrontend/src/App.jsxfrontend/src/main.jsxbackend/.env
Network endpoints1
localhost:3000/feeds
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- backend/.env contains a MONGO_URI value in the published package.
- backend/index.js loads dotenv and connects mongoose to process.env.MONGO_URI at runtime.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Root main index.js is declared but not present, so import-time execution from the root package is not established.
- Source is a simple Express/Mongoose feed API plus Vite frontend.
- Network use is limited to localhost frontend fetches and MongoDB connection configured by env.
- No child_process, eval, dynamic remote code loading, credential harvesting, or AI-agent control writes found outside dependencies.
Behavioral surface
EnvironmentVarsNetwork
Source & flagged code
1 flagged · loading sourcebackend/.envView file
1patternName = blocked_file
severity = critical
matchedText = backend/.env
redactedSecretContext =
secretLikeLines = 1
L1: MONGO_URI=<redacted:103 token-like>
Critical
Findings
1 Critical2 Medium1 Low
CriticalCritical Secretbackend/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present