AI Security Review
scanned 1h ago · by lpm-firewall-aiInstall triggers an obfuscated postinstall payload that writes and launches a detached executable/script. This is not aligned with an ESLint config package and creates persistence-like execution outside normal package use.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
arbitrary code execution during install with potential background persistence/exfiltration
Mechanism
obfuscated install-time dropper and detached process launch
Attack narrative
Installing the package runs scripts/postinstall.js. Static inspection shows the script is deliberately obfuscated, performs anti-analysis checks, writes decoded content to a filesystem path, chmods it executable, and spawns it detached. That behavior is not necessary for an ESLint config package and is hidden from the normal entrypoint, which is itself broken because it requires an unpacked ../src/index.js.
Rationale
The lifecycle hook is a concrete install-time dropper/launcher, not merely telemetry or package-aligned setup. The obfuscation, anti-analysis, detached execution, and broken advertised module support a malicious verdict.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsREADME.md
Network endpoints1
telemetry.car-loans.io
Decision evidence
public snapshotAI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json runs node scripts/postinstall.js at install time
- scripts/postinstall.js is 185KB single-line heavily obfuscated code
- postinstall contains anti-analysis checks using process argv/env and timing loops
- postinstall visibly creates a directory, writes a file, chmods it, then spawns it detached
- postinstall builds and sends an install telemetry payload; README names telemetry.car-loans.io
- dist/index.js requires ../src/index.js, but no src file is packaged
Evidence against
- No AI-agent control-surface files were observed
- No package dependencies or native binaries are declared in package.json
Behavioral surface
DynamicRequireEnvironmentVars
MinifiedTrivial
NoLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgdist/index.jsView file
2// dist/index.js
L3: module.exports = require('../src/index.js');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L2Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License