registry  /  @ch4acko3/frontal-lobe  /  0.1.10

@ch4acko3/frontal-lobe@0.1.10

Frontal Lobe CLI, Gateway, Codex and Claude Code adapters, skills, and debug UI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The install hook creates Frontal configuration with trace sync enabled, installs agent integration files, and starts its backend. When a user ID is present, the backend uploads Codex session trace events to a hard-coded remote IP over HTTP.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
`npm install` / `postinstall`; subsequent backend runtime with a configured Memorax or trace-sync user ID
Impact
Codex session-memory trace content can be transmitted to an external endpoint without a dedicated trace-sync opt-in.
Mechanism
install-time agent setup plus enabled session-trace exfiltration
Attack narrative
On installation, the postinstall script creates or updates `~/.frontal_lobe/config.toml`, enabling an internal full-content trace-sync feature, registers/stages a Codex plugin, and starts the Frontal backend. The trace-sync configuration uses a fixed HTTP endpoint at `47.112.15.137:8789`; the client serializes session events into batches and POSTs them there. Upload activates once a trace or Memorax user ID is available, including one configured through the installer’s memory setup path.
Rationale
This is concrete install-time configuration of an enabled full-content trace uploader to a hard-coded external endpoint, followed by automatic backend startup. The conditional user-ID gate limits immediate uploads but does not remove the unconsented exfiltration path.
Evidence
package.jsonbin/frontal-codex-plugin-postinstall.mjslib/frontal-gateway/dist/trace-sync-config.jslib/frontal-gateway/dist/trace-sync-client.jslib/frontal-gateway/dist/trace-sync-flush.jslib/frontal-gateway/dist/codex-plugin-install.js~/.frontal_lobe/config.toml~/.agents/plugins/marketplace.json~/.codex/.frontal-lobe/plugins/frontal-codex-adapter~/.codex/config.toml
Network endpoints1
47.112.15.137:8789/frontal/trace-sync

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs a `postinstall` hook.
  • Postinstall seeds `trace.sync.enabled = true` without trace-sync consent.
  • `trace-sync-config.js` hard-codes `http://47.112.15.137:8789/frontal/trace-sync`.
  • `trace-sync-client.js` POSTs session trace event batches to that endpoint.
  • Postinstall starts the backend and stages a Codex plugin into user agent directories.
  • The seeded trace config labels this as internal full-content trace sync.
Evidence against
  • Trace upload requires a configured user ID before becoming effective.
  • Codex hook activation is separately prompted when an interactive terminal is available.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 296 file(s), 2.14 MB of source, external domains: 127.0.0.1, 47.112.15.137, api.openai.com, test-code.beta.memorax.net

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/frontal-codex-plugin-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/frontal.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/frontal.mjsView on unpkg · L1
lib/frontal-gateway/dist/frontal-lifecycle.jsView file
470async function loadCodexAdapterConfig() { L471: return await import(new URL("../../frontal-codex-adapter/src/config.mjs", import.meta.url).href); L472: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/frontal-gateway/dist/frontal-lifecycle.jsView on unpkg · L470
lib/frontal-gateway/dist/ui-observer-store.jsView file
1import { createHash } from "node:crypto"; L2: import { mkdirSync, readdirSync, renameSync, writeFileSync } from "node:fs";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/frontal-gateway/dist/ui-observer-store.jsView on unpkg · L1
lib/frontal-codex-adapter/hooks/ensure-backend.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { createHash } from "node:crypto"; ... L8: L9: const DEBUG = process.env.FRONTAL_CODEX_HOOK_DEBUG === "1"; L10: ... L13: const input = await readStdinJson(); L14: const gatewayUrl = normalizeUrl(process.env.FRONTAL_GATEWAY_URL || "http://127.0.0.1:8787"); L15: const timeoutMs = parsePositiveInt(process.env.FRONTAL_CODEX_ENSURE_TIMEOUT_MS, 1500);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/frontal-codex-adapter/hooks/ensure-backend.mjsView on unpkg · L1
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.9 matchedPath = lib/frontal-codex-adapter/hooks/ensure-backend.mjs matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.9 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-codex-adapter/hooks/ensure-backend.mjsView on unpkg
bin/frontal-codex-plugin-postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L2: import { spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs"; L4: import { homedir } from "node:os"; ... L130: sk[redacted], L131: claudeAdapterRequired: !sk[redacted] && !preflight.claudeOfficialLogin, L132: claudeSkipReason, ... L502: const clients = parse(readFileSync(path, "utf8"))?.clients; L503: if (!clients || typeof clients !== "object" || typeof clients.codex !== "boolean" || typeof clients.claude !== "boolean") return undefined; L504: return [clients.codex ? "codex" : undefined, clients.claude ? "claude" : undefined].filter(Boolean); L505: } catch { ... L616: const path = frontalConfigPath(); L617: mkdirSync(dirname(path), { recursive: true }); Payload evidence from lib/frontal-codex-adapter/skills/frontal-memory/agents/openai.yaml: L1: interface: L2: display_name: "Frontal Memory"
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1
bin/frontal-core-nativeView file
path = bin/frontal-core-native kind = native_binary sizeBytes = 7354640 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/frontal-core-nativeView on unpkg
lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView file
path = lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py kind = build_helper sizeBytes = 34129 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView on unpkg
lib/frontal-adapter-common/src/cli-smoke.mjsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.9 matchedPath = lib/frontal-adapter-common/src/cli-smoke.mjs matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.9 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-adapter-common/src/cli-smoke.mjsView on unpkg
lib/frontal-claude-marketplace/plugins/frontal-claude-adapter/frontal-adapter-common/src/cli-smoke.mjsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.9 matchedPath = lib/frontal-adapter-common/src/cli-smoke.mjs matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.9 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-claude-marketplace/plugins/frontal-claude-adapter/frontal-adapter-common/src/cli-smoke.mjsView on unpkg
lib/frontal-gateway/dist/child-action-worker.jsView file
matchType = token_shingles matchedPackage = @ch4acko3/frontal-lobe@0.1.9 matchedPath = lib/frontal-gateway/dist/child-action-worker.js matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.9 similarity = 1.000 shingleOverlap = 48 summary = source token shingles overlapped finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-gateway/dist/child-action-worker.jsView on unpkg
lib/frontal-gateway/dist/codex-smoke.jsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.9 matchedPath = lib/frontal-gateway/dist/codex-smoke.js matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.9 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-gateway/dist/codex-smoke.jsView on unpkg

Findings

1 Critical9 High6 Medium5 Low
CriticalAi Agent Control Hijackbin/frontal-codex-plugin-postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/frontal.mjs
HighShell
HighSame File Env Network Executionlib/frontal-codex-adapter/hooks/ensure-backend.mjs
HighKnown Malware Source Similaritylib/frontal-adapter-common/src/cli-smoke.mjs
HighKnown Malware Source Similaritylib/frontal-claude-marketplace/plugins/frontal-claude-adapter/frontal-adapter-common/src/cli-smoke.mjs
HighKnown Malware Source Similaritylib/frontal-codex-adapter/hooks/ensure-backend.mjs
HighKnown Malware Source Similaritylib/frontal-gateway/dist/child-action-worker.js
HighKnown Malware Source Similaritylib/frontal-gateway/dist/codex-smoke.js
MediumDynamic Requirelib/frontal-gateway/dist/frontal-lifecycle.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/frontal-core-native
MediumShips Build Helperlib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/frontal-gateway/dist/ui-observer-store.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings