registry  /  pppakot  /  1.0.0

pppakot@1.0.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious npm install or import attack surface was found. The main risk is an accidentally published backend .env containing a MongoDB connection string.

Static reason
One or more suspicious static signals were detected.
Trigger
Running backend/index.js
Impact
Potential exposure or misuse of the packaged MongoDB URI; no source-level exfiltration behavior found.
Mechanism
dotenv-loaded MongoDB connection for feed API
Rationale
Static inspection shows an ordinary local feed app and no install-time/import-time malicious behavior, but the packaged backend .env contains a live-looking MONGO_URI secret. This warrants a warning for secret exposure rather than a malicious publish block.
Evidence
package.jsonbackend/package.jsonbackend/index.jsbackend/routes/feedsRoutes.jsbackend/models/feed.jsfrontend/package.jsonfrontend/src/App.jsxfrontend/src/main.jsxbackend/.env
Network endpoints1
localhost:3000/feeds

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • backend/.env contains a MONGO_URI value in the published package.
  • backend/index.js loads dotenv and connects mongoose to process.env.MONGO_URI at runtime.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Root main index.js is declared but not present, so import-time execution from the root package is not established.
  • Source is a simple Express/Mongoose feed API plus Vite frontend.
  • Network use is limited to localhost frontend fetches and MongoDB connection configured by env.
  • No child_process, eval, dynamic remote code loading, credential harvesting, or AI-agent control writes found outside dependencies.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 8.91 KB of source

Source & flagged code

1 flagged · loading source
backend/.envView file
1patternName = blocked_file severity = critical matchedText = backend/.env redactedSecretContext = secretLikeLines = 1 L1: MONGO_URI=<redacted:103 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

backend/.envView on unpkg · L1

Findings

1 Critical2 Medium1 Low
CriticalCritical Secretbackend/.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present