registry  /  @car_loans/dealerships-approval  /  7.1.5

@car_loans/dealerships-approval@7.1.5

browserslist config

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package executes a heavily obfuscated postinstall script at npm install time. The script performs environment checks, writes and chmods files, spawns a detached process, and prepares system telemetry, creating an unconsented install-time execution and data-exposure surface.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
Installer host can run hidden package-controlled code and disclose system/environment details during installation.
Mechanism
obfuscated install hook with detached process execution and system telemetry
Attack narrative
Installing the package runs scripts/postinstall.js. That file is intentionally obfuscated, decodes strings at runtime, checks argv and NODE_OPTIONS, uses filesystem operations including recursive mkdir/write/chmod, and launches a detached child process while constructing an install event with package/version/system details. This behavior is unconsented and not necessary for a browserslist-config package.
Rationale
Source inspection confirms a malicious install-time hook with hidden execution, persistence-like detached launch behavior, and system telemetry collection. The benign README and metadata do not justify the obfuscated lifecycle behavior.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsREADME.md
Network endpoints1
telemetry.car-loans.io

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js is a 179KB single-line obfuscated install script with RC4/base64-style string decoding
  • postinstall references process.env.NODE_OPTIONS and process argv while attempting anti-analysis checks
  • postinstall imports core modules through decoded strings and uses file writes, chmod, recursive mkdir, and detached child_process execution
  • postinstall builds an install event payload containing package, version, timestamp, and system fields
Evidence against
  • No foreign AI-agent control-surface writes observed
  • dist/index.js only requires ../src/index.js, but src/index.js is absent from the package
  • README claims install telemetry, but the obfuscated lifecycle script does more than transparent telemetry
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 176 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License