registry  /  verben-workflow-ui  /  0.5.77

verben-workflow-ui@0.5.77

This library was generated with [Angular CLI](https://github.com/angular/angular-cli) version 18.2.0.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malware behavior was found, but the package ships a hardcoded bearer JWT used as a fallback auth header. This is a real exposed-secret risk rather than an install-time attack.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime Angular app calls HttpWebRequestService without envSvc.environment.Token
Impact
Potential unintended authenticated requests or credential exposure if the token remains valid
Mechanism
hardcoded fallback Authorization token in HTTP helper
Attack narrative
At runtime, consumers inject environment settings and call the workflow UI services. If no environment Token is provided, HttpWebRequestService builds request headers with a bundled JWT and sends it to the configured workflow/auth/file API base URLs. I found no evidence that the package harvests local data, phones home to a fixed attacker endpoint, or executes during install/import.
Rationale
Static source inspection supports a warn-level exposed credential issue, not malicious package behavior. The network code is a normal Angular workflow API wrapper and lacks install-time execution, exfiltration, shell execution, or persistence.
Evidence
package.jsonfesm2022/verben-workflow-ui-src-lib-services.mjsesm2022/src/lib/services/http-web-request.service.mjssrc/lib/services/environment.service.d.ts

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • fesm2022/verben-workflow-ui-src-lib-services.mjs embeds a hardcoded JWT fallback Authorization header.
  • esm2022/src/lib/services/http-web-request.service.mjs has the same bundled JWT in buildHeaders().
  • HttpWebRequestService sends the bundled token on Angular HttpClient GET/POST/PUT/DELETE when env Token is absent.
Evidence against
  • package.json has no lifecycle scripts or bin entrypoints.
  • Network targets are env-provided WorkFlowAPI/AuthAPI/FILE_BASE_URL, not attacker-controlled constants.
  • No child_process, fs, eval, dynamic require, native binary loading, persistence, or destructive install-time behavior found.
  • HTTP calls are package-aligned workflow UI service operations and require runtime app use.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 318 file(s), 4.89 MB of source, external domains: example.com, www.w3.org

Source & flagged code

3 flagged · loading source
fesm2022/verben-workflow-ui-src-lib-services.mjsView file
52patternName = supabase_service_key severity = critical line = 52 matchedText = Authoriz...9g',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52
52patternName = supabase_service_key severity = critical line = 52 matchedText = Authoriz...9g',
Critical
Secret Pattern

Supabase service role key (JWT) in fesm2022/verben-workflow-ui-src-lib-services.mjs

fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52
esm2022/src/lib/services/http-web-request.service.mjsView file
26patternName = supabase_service_key severity = critical line = 26 matchedText = Authoriz...9g',
Critical
Secret Pattern

Supabase service role key (JWT) in esm2022/src/lib/services/http-web-request.service.mjs

esm2022/src/lib/services/http-web-request.service.mjsView on unpkg · L26

Findings

3 Critical3 Low
CriticalCritical Secretfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternesm2022/src/lib/services/http-web-request.service.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License