AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malware behavior was found, but the package ships a hardcoded bearer JWT used as a fallback auth header. This is a real exposed-secret risk rather than an install-time attack.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime Angular app calls HttpWebRequestService without envSvc.environment.Token
Impact
Potential unintended authenticated requests or credential exposure if the token remains valid
Mechanism
hardcoded fallback Authorization token in HTTP helper
Attack narrative
At runtime, consumers inject environment settings and call the workflow UI services. If no environment Token is provided, HttpWebRequestService builds request headers with a bundled JWT and sends it to the configured workflow/auth/file API base URLs. I found no evidence that the package harvests local data, phones home to a fixed attacker endpoint, or executes during install/import.
Rationale
Static source inspection supports a warn-level exposed credential issue, not malicious package behavior. The network code is a normal Angular workflow API wrapper and lacks install-time execution, exfiltration, shell execution, or persistence.
Evidence
package.jsonfesm2022/verben-workflow-ui-src-lib-services.mjsesm2022/src/lib/services/http-web-request.service.mjssrc/lib/services/environment.service.d.ts
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- fesm2022/verben-workflow-ui-src-lib-services.mjs embeds a hardcoded JWT fallback Authorization header.
- esm2022/src/lib/services/http-web-request.service.mjs has the same bundled JWT in buildHeaders().
- HttpWebRequestService sends the bundled token on Angular HttpClient GET/POST/PUT/DELETE when env Token is absent.
Evidence against
- package.json has no lifecycle scripts or bin entrypoints.
- Network targets are env-provided WorkFlowAPI/AuthAPI/FILE_BASE_URL, not attacker-controlled constants.
- No child_process, fs, eval, dynamic require, native binary loading, persistence, or destructive install-time behavior found.
- HTTP calls are package-aligned workflow UI service operations and require runtime app use.
Behavioral surface
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcefesm2022/verben-workflow-ui-src-lib-services.mjsView file
52patternName = supabase_service_key
severity = critical
line = 52
matchedText = Authoriz...9g',
Critical
Critical Secret
Package contains a critical-looking secret pattern.
fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L5252patternName = supabase_service_key
severity = critical
line = 52
matchedText = Authoriz...9g',
Critical
Secret Pattern
Supabase service role key (JWT) in fesm2022/verben-workflow-ui-src-lib-services.mjs
fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52esm2022/src/lib/services/http-web-request.service.mjsView file
26patternName = supabase_service_key
severity = critical
line = 26
matchedText = Authoriz...9g',
Critical
Secret Pattern
Supabase service role key (JWT) in esm2022/src/lib/services/http-web-request.service.mjs
esm2022/src/lib/services/http-web-request.service.mjsView on unpkg · L26Findings
3 Critical3 Low
CriticalCritical Secretfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternesm2022/src/lib/services/http-web-request.service.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License