AI Security Review
scanned 3h ago · by lpm-firewall-aiInstall-time lifecycle hooks execute on Linux/ECS hosts. The code harvests cloud credentials and host metadata, performs DynamoDB permission actions, then exfiltrates results to a third-party host.
Decision evidence
public snapshot- `package.json` runs `node run.js` in both preinstall and postinstall.
- `run.js` retrieves ECS task-role credentials from `169.254.170.2`.
- `run.js` collects AWS environment credentials and container/process data.
- `run.js` POSTs the collected payload to an external tunnel host.
- `run.js` executes a Python DynamoDB audit that reads, writes, updates, and deletes items.
- `run.js` exits on Windows, limiting the payload to non-Windows hosts.
- README and comments label the code research, but do not obtain install-time consent.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
run.jsView on unpkg · L11Source reaches cloud instance metadata or link-local credential endpoints.
run.jsView on unpkg · L11