registry  /  @bcryptln/bcryptjs  /  3.0.3

@bcryptln/bcryptjs@3.0.3

Optimized bcrypt in plain JavaScript with zero dependencies, with TypeScript support. Compatible to 'bcrypt'.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the ESM entrypoint executes an appended, obfuscated dynamic-code loader. The loader grants hidden code Node module and path context.

Static reason
One or more suspicious static signals were detected.
Trigger
Application import of `@bcryptln/bcryptjs` through its ESM export.
Impact
Hidden code can use Node capabilities available to the importing process; its exact downstream actions are concealed.
Mechanism
Obfuscated import-time `Function` execution with Node-global exposure.
Attack narrative
The package's ESM entrypoint contains normal bcrypt code followed by a single-line obfuscated loader. On import, it decodes strings, uses a dynamically obtained `Function` constructor to execute concealed code, and first copies Node-specific globals such as `require` and `__dirname` onto `global`. This is not required for bcrypt functionality and provides hidden code access to the host process's module-loading context.
Rationale
The appended obfuscated payload executes automatically on import and deliberately exposes Node runtime capabilities to concealed code. This is a concrete unauthorized execution chain, despite no lifecycle hook or plaintext endpoint.
Evidence
index.jspackage.jsonbin/bcryptumd/index.js

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js:1161` appends a large obfuscated payload after the bcrypt implementation.
  • The payload reconstructs hidden strings, obtains a dynamic `Function` constructor, and invokes generated code at import time.
  • It exposes `require`, `module`, `__dirname`, and `__filename` through `global` before hidden-code execution.
  • `package.json` exports `index.js` for ESM consumers, so importing the package triggers the payload.
Evidence against
  • `package.json` contains no preinstall/install/postinstall lifecycle hook.
  • Visible `index.js` code before the appended payload implements bcrypt hashing and crypto randomness.
  • `bin/bcrypt` only hashes its explicit command-line input.
  • No plaintext network endpoint or file-harvesting path was recoverable from the inspected source.
Behavioral surface
Source
Crypto
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 93.5 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
1160decodeBase64, L1161: }; ...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

index.jsView on unpkg · L1160

Findings

1 High1 Medium2 Low
HighObfuscated Payload Loaderindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings