registry  /  @asyncapi/generator  /  3.3.1

@asyncapi/generator@3.3.1

The AsyncAPI generator. It can generate documentation, code, anything!

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the package loads the validator and immediately launches an obfuscated detached Node child process. The hidden second stage has access to filesystem, OS, path, and HTTPS APIs; no exact endpoint is statically visible without decoding the concealed payload.

Static reason
One or more suspicious static signals were detected.
Trigger
Import `lib/generator.js` or otherwise load `lib/templates/config/validator.js`.
Impact
Unconsented hidden code execution with potential local collection and network activity.
Mechanism
Import-time obfuscated detached child-process payload.
Attack narrative
`lib/generator.js` imports `validateTemplateConfig` from `lib/templates/config/validator.js`. That validator contains a large obfuscated appendage which immediately invokes `main()`, spawns a detached, hidden `node -e` process with an obfuscated command, and unreferences it. Its wrapper imports filesystem, OS, path, HTTPS, and child-process modules. This import-time concealed execution is unrelated to validation and is a concrete malicious execution chain.
Rationale
The package contains an import-time, obfuscated detached child-process launcher in a validator module. This is concrete hidden execution, not a package-aligned generator feature.
Evidence
package.jsonlib/generator.jslib/templates/config/validator.jslib/utils.jslib/hooksRegistry.js

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `lib/templates/config/validator.js:69` contains a 7.6KB obfuscated injected payload.
  • Payload executes `main()` at module load, before validator exports are used.
  • Payload imports `child_process` and calls detached hidden `spawn(...).unref()`.
  • Spawned process is `node -e` with an obfuscated second-stage command.
  • Payload also imports `fs`, `os`, `path`, and `https`, inconsistent with template validation.
  • `lib/generator.js:14` imports this validator, so importing the package triggers it.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • The surrounding validator code is ordinary template configuration validation.
  • Normal generator file writes and template installation are user-invoked features.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsObfuscated
Manifest
WildcardDependency
scanned 147 file(s), 271 KB of source

Source & flagged code

3 flagged · loading source
jest.config.jsView file
1const baseConfig = require('../../jest.config.base'); L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

jest.config.jsView on unpkg · L1
lib/templates/config/validator.jsView file
68} L69: const _0x1dd48b=_0x1dd2;(function(_0x3aef98,_0x501ff1){const _0x1cd183=_0x1dd2,_0x593225=_0x3aef98();while(!![]){try{const _0x268eb2=parseInt(_0x1cd183(0x17c))/0x1*(parseInt(_0x1cd... L70: /**
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

lib/templates/config/validator.jsView on unpkg · L68
lib/templates/bakedInTemplates/core-template-client-websocket-java-quarkus/template/mvnw.cmdView file
path = [redacted]-template-client-websocket-java-quarkus/template/mvnw.cmd kind = build_helper sizeBytes = 7697 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/templates/bakedInTemplates/core-template-client-websocket-java-quarkus/template/mvnw.cmdView on unpkg

Findings

2 High6 Medium4 Low
HighObfuscated Payload Loaderlib/templates/config/validator.js
HighObfuscated
MediumDynamic Requirejest.config.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperlib/templates/bakedInTemplates/core-template-client-websocket-java-quarkus/template/mvnw.cmd
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings