AI Security Review
scanned 6d ago · by lpm-firewall-aiInstall-time obfuscated code collects environment and system/package data and sends it through hidden request logic. This is not needed for an auth/logger package and includes credential-bearing process.env.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
Secrets and environment metadata may be sent off-host during installation before user code runs.
Mechanism
obfuscated install-time environment exfiltration
Attack narrative
On installation, npm invokes scripts/postinstall.js. The script is heavily obfuscated, gates execution on process arguments/options, gathers process.env plus package/version/timestamp/system metadata, builds strings with atob/decoder helpers, and calls hidden request logic. The package's published runtime entrypoint is broken, making the install hook the main functional behavior.
Rationale
Direct source inspection shows concrete install-time credential/environment collection and obfuscated outbound telemetry behavior. Because it runs automatically during npm install and collects full process.env, this is malicious exfiltration rather than benign package-aligned functionality.
Evidence
package.jsonscripts/postinstall.jsREADME.mddist/index.jsdist/index.d.ts
Network endpoints4
telemetry.emcd-vue.iodocs.emcd-vue.io/platform/authjira.emcd-vue.io/projects/PLATFORMgithub.emcd-vue.io/platform/auth.git
Decision evidence
public snapshotAI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json runs install-time hook: node scripts/postinstall.js
- scripts/postinstall.js is 163KB heavily obfuscated JavaScript
- postinstall reads process.env and includes env in telemetry object
- postinstall collects package/version/timestamp/system fields
- postinstall contains require(...) and atob-built network request logic
- README admits install telemetry to telemetry.emcd-vue.io
Evidence against
- dist/index.js only requires ../src/index.js, which is absent
- No dependency list or native binaries found
- README describes a logger package, but runtime entrypoint is broken
Behavioral surface
DynamicRequireEnvironmentVars
MinifiedTrivial
NoLicense
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgdist/index.jsView file
2// dist/index.js
L3: module.exports = require('../src/index.js');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L2Findings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License