AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting the ESM entrypoint executes an appended, obfuscated dynamic-code loader. The loader grants hidden code Node module and path context.
Static reason
One or more suspicious static signals were detected.
Trigger
Application import of `@bcryptln/bcryptjs` through its ESM export.
Impact
Hidden code can use Node capabilities available to the importing process; its exact downstream actions are concealed.
Mechanism
Obfuscated import-time `Function` execution with Node-global exposure.
Attack narrative
The package's ESM entrypoint contains normal bcrypt code followed by a single-line obfuscated loader. On import, it decodes strings, uses a dynamically obtained `Function` constructor to execute concealed code, and first copies Node-specific globals such as `require` and `__dirname` onto `global`. This is not required for bcrypt functionality and provides hidden code access to the host process's module-loading context.
Rationale
The appended obfuscated payload executes automatically on import and deliberately exposes Node runtime capabilities to concealed code. This is a concrete unauthorized execution chain, despite no lifecycle hook or plaintext endpoint.
Evidence
index.jspackage.jsonbin/bcryptumd/index.js
Decision evidence
public snapshotAI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js:1161` appends a large obfuscated payload after the bcrypt implementation.
- The payload reconstructs hidden strings, obtains a dynamic `Function` constructor, and invokes generated code at import time.
- It exposes `require`, `module`, `__dirname`, and `__filename` through `global` before hidden-code execution.
- `package.json` exports `index.js` for ESM consumers, so importing the package triggers the payload.
Evidence against
- `package.json` contains no preinstall/install/postinstall lifecycle hook.
- Visible `index.js` code before the appended payload implements bcrypt hashing and crypto randomness.
- `bin/bcrypt` only hashes its explicit command-line input.
- No plaintext network endpoint or file-harvesting path was recoverable from the inspected source.
Behavioral surface
Crypto
HighEntropyStrings
Source & flagged code
1 flagged · loading sourceindex.jsView file
1160decodeBase64,
L1161: }; ...
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
index.jsView on unpkg · L1160Findings
1 High1 Medium2 Low
HighObfuscated Payload Loaderindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings