registry  /  @miracleplus/mplus  /  0.5.15

@miracleplus/mplus@0.5.15

奇绩创坛命令行工具(mplus CLI)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs unconsented install-time mutation of user AI-agent control surfaces. It drops package-supplied skills and command/prompts into agent directories during npm postinstall.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / npm install -g
Impact
Installed AI agents may load package-supplied instructions/prompts without an explicit user setup step.
Mechanism
postinstall copies AI-agent skills and commands into home-directory agent config paths
Policy narrative
On npm installation, the postinstall hook resolves the package root, reads bundled skills and commands, and silently copies them into user-level AI-agent directories. It always targets ~/.agents/skills and conditionally targets Claude and Codex prompt/command directories when those parent directories exist, causing agent-control content to be installed outside the package without an explicit user command.
Rationale
The concrete malicious behavior is the unconsented postinstall write into broad/foreign AI-agent control surfaces, which the policy says to block. The network and CLI API behavior otherwise appears package-aligned, but it does not neutralize the install-time agent mutation.
Evidence
package.jsonscripts/postinstall-skills.jsdist/commands/install-skills.jsdist/env.jsdist/api_client.jsbin/mplus.jsskills/mplus-shared/SKILL.md~/.agents/skills/*~/.claude/skills/*~/.claude/commands/*.md~/.codex/prompts/*.mdskills/*commands/*.md
Network endpoints4
apply.miracleplus.combuild.miracleplus.comapply-staging.miracleplus.combuild-staging.miracleplus.com

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall-skills.js.
  • scripts/postinstall-skills.js silently copies package skills into ~/.agents/skills on every install.
  • scripts/postinstall-skills.js also copies skills/commands into ~/.claude and ~/.codex when those dirs exist.
  • dist/commands/install-skills.js repeats AI-agent resource installation as an explicit command.
  • dist files are heavily obfuscated, increasing review difficulty.
Evidence against
  • No credential harvesting or broad file enumeration found in inspected postinstall source.
  • Network use appears aligned to MiraclePlus CLI APIs in dist/env.js and dist/api_client.js.
  • bin/mplus.js only requires ../dist/index.js.
  • skills/*.md describe mplus commands and API usage rather than obvious exfiltration instructions.
Behavioral surface
Source
DynamicRequireFilesystem
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 48 file(s), 380 KB of source, external domains: apply-staging.miracleplus.com, apply.miracleplus.com, build-staging.miracleplus.com, build.miracleplus.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-skills.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/mplus.jsView file
3// tsc --watch 会反复重写 dist/index.js,但本文件不受影响。 L4: require('../dist/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/mplus.jsView on unpkg · L3
dist/registry.jsView file
1'use strict';function _0x4478(){var _0x399af5=['zgvMAw5LuhjVCgvYDhK','x19LC01VzhvSzq','mNPby0HdCW','mtG4ndqXn0jNt3rjDW','ntroBfvbAgG','mtqXotm1tMDcBKLL','nJeYA0XiwhbO','y29TBwfUzfj...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/registry.jsView on unpkg · L1
scripts/postinstall-skills.jsView file
3Install-time AI-agent control hijack evidence: L5: * 分发两类资源到用户级目录(父目录存在才铺,不凭空创建): L6: * - skills/ → ~/.agents/skills/(通用,总是)+ ~/.claude/skills/(Claude Code,若 ~/.claude 存在) L7: * - commands/ → ~/.claude/commands/(Claude Code 斜杠命令,若 ~/.claude 存在) L8: * + ~/.codex/prompts/(Codex 自定义命令,若 ~/.codex 存在) L9: */ ... L28: function copyDirSync(src, dest) { L29: fs.mkdirSync(dest, { recursive: true }); L30: for (const entry of fs.readdirSync(src, { withFileTypes: true })) { ... L33: if (entry.isDirectory()) copyDirSync(srcPath, destPath); L34: else fs.copyFileSync(srcPath, destPath); L35: } ... L52: for (const target of targets) { Payload evidence from skills/mplus-reports/SKILL.md: L3: description: "奇绩创坛 DS 报告数据源:按日期区间拉「13 渠道」线索聚合(手机号 contacts + 企微 soc_channel_users)。当用户要统计奇绩线索来源、做周期/同比分析、或生成「线索来源周期对比报告」(DS 报告) 时使用。CLI 只出原始计数——渠道归类、跨源聚合、6 时段周期日历全部由你(AI)按本 skill 规... L4: metadata: L5: requires:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall-skills.jsView on unpkg · L3

Findings

1 Critical3 High2 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall-skills.js
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderdist/registry.js
HighObfuscated
MediumDynamic Requirebin/mplus.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings