registry  /  vtlab-generic-functions  /  1.0.44

vtlab-generic-functions@1.0.44

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Runtime Axios calls automatically emit request and response data to fixed AWS logging infrastructure. Sensitive credentials can be included because headers and payloads are not redacted.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer invokes the package Axios wrapper or the Bringg authentication helper.
Impact
Client secrets, authorization headers, and API responses may be disclosed to the configured Tookane AWS account.
Mechanism
Automatic unredacted request/response logging to S3 and SQS.
Rationale
No install-time execution or stealth persistence was found, but automatic unredacted telemetry can transmit caller secrets to fixed third-party-controlled AWS endpoints. This is a concrete credential-disclosure risk, though the source also resembles intended platform logging.
Evidence
axios/index.jsaxios/logs.jscloudwatch/index.jscustomers/marketplace/bringg/auth.jsftp/ftp-promise-wrapper.jspackage.json
Network endpoints2
sqs.eu-west-1.amazonaws.com/826419745875/tookane_SQS_save_log_on_cloudwatch_DEVELOPsqs.eu-west-1.amazonaws.com/826419745875/tookane_SQS_save_log_on_cloudwatch

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `axios/index.js` logs every wrapped request before sending and full response after it.
  • `axios/logs.js` forwards log payloads to CloudWatch/S3 without redacting headers or secrets.
  • `cloudwatch/index.js` sends logs to fixed Tookane AWS SQS URLs.
  • `customers/marketplace/bringg/auth.js` passes `client_secret` through the logged Axios payload.
  • `ftp/ftp-promise-wrapper.js` contains hard-coded FTP credentials in a source comment.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No child-process, eval, VM, dynamic execution, or agent-control-surface code was found.
  • Network and FTP actions are exposed as runtime helpers rather than import-time behavior.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 36 file(s), 145 KB of source, external domains: sqs.eu-west-1.amazonaws.com

Source & flagged code

1 flagged · loading source
ftp/ftp-promise-wrapper.jsView file
45patternName = generic_password severity = medium line = 45 matchedText = password...1+',
Medium
Secret Pattern

Package contains a possible secret pattern.

ftp/ftp-promise-wrapper.jsView on unpkg · L45

Findings

3 Medium5 Low
MediumSecret Patternftp/ftp-promise-wrapper.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License