registry  /  xypriss-security  /  2.1.19

xypriss-security@2.1.19

Advanced High-Performance Security Framework. Military-grade encryption, post-quantum resilience, and fortified data structures.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Install runs a downloader that fetches a platform-native executable from an unpinned GitHub latest-release URL. Runtime API calls execute that downloaded binary locally.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; later use of exported cryptographic APIs
Impact
A changed or redirected release asset can obtain arbitrary code execution in the installing user's context.
Mechanism
remote native-binary provisioning followed by local spawnSync execution
Rationale
The shipped JavaScript does not itself show theft or destructive behavior, but its install hook provisions an unpinned executable that is later executed. This is a real staged-payload risk, not a clean package-aligned build artifact.
Evidence
package.jsonscripts/build-core.jsdist/src/core/bridge.jsdist/src/core/PasswordManager.jslib/security-core/libxypriss_core
Network endpoints2
github.com/Nehonix-Team/XyPriss-Security/releases/latest/download/${releaseFileName}api.pwnedpasswords.com/range/${prefix}

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/build-core.js.
  • scripts/build-core.js downloads an unpinned latest-release binary during install.
  • scripts/build-core.js follows redirects and writes/chmods the downloaded executable without integrity verification.
  • dist/src/core/bridge.js invokes that executable with spawnSync at runtime.
Evidence against
  • No source evidence of credential harvesting, environment exfiltration, or AI-agent configuration writes.
  • The only runtime fetch found in PasswordManager targets the Pwned Passwords range API for an explicit password-check feature.
  • Bridge commands and arguments are fixed API operations rather than shell strings or eval.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 45 file(s), 370 KB of source, external domains: api.pwnedpasswords.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/build-core.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/release-build.shView file
path = scripts/release-build.sh kind = build_helper sizeBytes = 1617 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/release-build.shView on unpkg
dist/src/components/cache/SCC.jsView file
41patternName = generic_password severity = medium line = 41 matchedText = * pa...ord"
Medium
Secret Pattern

Hardcoded password in dist/src/components/cache/SCC.js

dist/src/components/cache/SCC.jsView on unpkg · L41
dist/src/components/cache/SCC.d.tsView file
38patternName = generic_password severity = medium line = 38 matchedText = * pa...ord"
Medium
Secret Pattern

Hardcoded password in dist/src/components/cache/SCC.d.ts

dist/src/components/cache/SCC.d.tsView on unpkg · L38

Findings

1 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/release-build.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/src/components/cache/SCC.js
MediumSecret Patterndist/src/components/cache/SCC.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License