registry  /  @emcd-vue/auth  /  7.1.0

@emcd-vue/auth@7.1.0

Internal structured logger with log levels, context and remote drain support

AI Security Review

scanned 6d ago · by lpm-firewall-ai

Install-time obfuscated code collects environment and system/package data and sends it through hidden request logic. This is not needed for an auth/logger package and includes credential-bearing process.env.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
Secrets and environment metadata may be sent off-host during installation before user code runs.
Mechanism
obfuscated install-time environment exfiltration
Attack narrative
On installation, npm invokes scripts/postinstall.js. The script is heavily obfuscated, gates execution on process arguments/options, gathers process.env plus package/version/timestamp/system metadata, builds strings with atob/decoder helpers, and calls hidden request logic. The package's published runtime entrypoint is broken, making the install hook the main functional behavior.
Rationale
Direct source inspection shows concrete install-time credential/environment collection and obfuscated outbound telemetry behavior. Because it runs automatically during npm install and collects full process.env, this is malicious exfiltration rather than benign package-aligned functionality.
Evidence
package.jsonscripts/postinstall.jsREADME.mddist/index.jsdist/index.d.ts
Network endpoints4
telemetry.emcd-vue.iodocs.emcd-vue.io/platform/authjira.emcd-vue.io/projects/PLATFORMgithub.emcd-vue.io/platform/auth.git

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs install-time hook: node scripts/postinstall.js
  • scripts/postinstall.js is 163KB heavily obfuscated JavaScript
  • postinstall reads process.env and includes env in telemetry object
  • postinstall collects package/version/timestamp/system fields
  • postinstall contains require(...) and atob-built network request logic
  • README admits install telemetry to telemetry.emcd-vue.io
Evidence against
  • dist/index.js only requires ../src/index.js, which is absent
  • No dependency list or native binaries found
  • README describes a logger package, but runtime entrypoint is broken
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 159 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License