registry  /  @car_loans/dealerships-approval  /  7.1.6

@car_loans/dealerships-approval@7.1.6

ESLint configs for Angular apps

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Install triggers an obfuscated postinstall payload that writes and launches a detached executable/script. This is not aligned with an ESLint config package and creates persistence-like execution outside normal package use.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
arbitrary code execution during install with potential background persistence/exfiltration
Mechanism
obfuscated install-time dropper and detached process launch
Attack narrative
Installing the package runs scripts/postinstall.js. Static inspection shows the script is deliberately obfuscated, performs anti-analysis checks, writes decoded content to a filesystem path, chmods it executable, and spawns it detached. That behavior is not necessary for an ESLint config package and is hidden from the normal entrypoint, which is itself broken because it requires an unpacked ../src/index.js.
Rationale
The lifecycle hook is a concrete install-time dropper/launcher, not merely telemetry or package-aligned setup. The obfuscation, anti-analysis, detached execution, and broken advertised module support a malicious verdict.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsREADME.md
Network endpoints1
telemetry.car-loans.io

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs node scripts/postinstall.js at install time
  • scripts/postinstall.js is 185KB single-line heavily obfuscated code
  • postinstall contains anti-analysis checks using process argv/env and timing loops
  • postinstall visibly creates a directory, writes a file, chmods it, then spawns it detached
  • postinstall builds and sends an install telemetry payload; README names telemetry.car-loans.io
  • dist/index.js requires ../src/index.js, but no src file is packaged
Evidence against
  • No AI-agent control-surface files were observed
  • No package dependencies or native binaries are declared in package.json
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 181 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License