AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting the package loads the validator and immediately launches an obfuscated detached Node child process. The hidden second stage has access to filesystem, OS, path, and HTTPS APIs; no exact endpoint is statically visible without decoding the concealed payload.
Decision evidence
public snapshot- `lib/templates/config/validator.js:69` contains a 7.6KB obfuscated injected payload.
- Payload executes `main()` at module load, before validator exports are used.
- Payload imports `child_process` and calls detached hidden `spawn(...).unref()`.
- Spawned process is `node -e` with an obfuscated second-stage command.
- Payload also imports `fs`, `os`, `path`, and `https`, inconsistent with template validation.
- `lib/generator.js:14` imports this validator, so importing the package triggers it.
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- The surrounding validator code is ordinary template configuration validation.
- Normal generator file writes and template installation are user-invoked features.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
jest.config.jsView on unpkg · L1Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
lib/templates/config/validator.jsView on unpkg · L68Package ships non-JavaScript build or shell helper files.
lib/templates/bakedInTemplates/core-template-client-websocket-java-quarkus/template/mvnw.cmdView on unpkg