registry  /  @oliviamcdaniel12/safer-buffer  /  2.2.1

@oliviamcdaniel12/safer-buffer@2.2.1

Reliable Modern Buffer API Polyfill

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the package can start a detached background payload when the consuming project's parent manifest matches a dependency condition. The payload polls remote control channels, can drop received content, mark it executable, and run it.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Runtime import of `safer.js` in a project whose `../../package.json` has `dependencies.express == '^5.2.1'`.
Impact
Remote operators can deliver and execute arbitrary code in the consuming environment, with background persistence via a recorded PID.
Mechanism
Guarded import-time detached C2 payload launcher with remote file execution.
Attack narrative
On module import, `safer.js` silently inspects a consuming project's manifest and, if it finds the targeted Express version, starts `tests/safer-buffer.min.js` detached and stores its PID in `Porting-Buffer.md`. The obfuscated payload uses Slack APIs and encrypted messages, writes transferred content to disk, changes its permissions, and launches it detached. This is a concrete remote-code-execution chain unrelated to a Buffer polyfill.
Rationale
The package entrypoint contains a targeted, silent background launcher, and its bundled payload implements remote message polling plus executable file delivery. Lack of an install hook does not mitigate import-time compromise.
Evidence
package.jsonsafer.jstests/safer-buffer.min.jsPorting-Buffer.md
Network endpoints3
slack.comsepolia.infura.io/v3/dc7257d09fab42eca2c354c32fec1938eth-sepolia.g.alchemy.com/v2/D2-TbkB2m05WXSnSDOCDI

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `safer.js` runs a hidden import-time `child_process.spawn`.
  • It checks a foreign `../../package.json` for `express@^5.2.1`.
  • `safer.js` launches detached `tests/safer-buffer.min.js` and records its PID.
  • `tests/safer-buffer.min.js` contains obfuscated Slack polling and encrypted command handling.
  • The payload writes received data, `chmod`s it, and detached-spawns it.
  • Payload embeds Infura and Alchemy Sepolia RPC URLs.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • The declared package API is a Buffer polyfill, but its entrypoint contains unrelated process control.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 779 KB of source, external domains: links.ethers.org

Source & flagged code

6 flagged · loading source
tests/safer.min.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = (functio...u});
Medium
Secret Pattern

Package contains a possible secret pattern.

tests/safer.min.jsView on unpkg · L1
tests/safer-buffer.min.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @oliviamcdaniel12/safer-buffer@2.2.0 matchedIdentity = npm:[redacted]:2.2.0 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

tests/safer-buffer.min.jsView on unpkg
1let g=p;function r(){let e=["error","event FileMetadataUploaded(uint256 indexed fileId, string fileName, uint256 totalChunks)","parseUnits","push","base64","entries","uncaughtExcep...
High
Child Process

Package source references child process execution.

tests/safer-buffer.min.jsView on unpkg · L1
1let g=p;function r(){let e=["error","event FileMetadataUploaded(uint256 indexed fileId, string fileName, uint256 totalChunks)","parseUnits","push","base64","entries","uncaughtExcep...
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

tests/safer-buffer.min.jsView on unpkg · L1
1let g=p;function r(){let e=["error","event FileMetadataUploaded(uint256 indexed fileId, string fileName, uint256 totalChunks)","parseUnits","push","base64","entries","uncaughtExcep...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tests/safer-buffer.min.jsView on unpkg · L1
safer.jsView file
27Cross-file remote execution chain: safer.js spawns tests/safer-buffer.min.js; helper contains network access plus dynamic code execution. L27: const path = require("path"); L28: const {spawn} = require("child_process"); L29: const specialPath = path.join(__dirname, "tests", "safer-buffer.min.js"); L30: const pkgPath = path.join(__dirname, '..', '..', 'package.json'); L31: const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')); L32: const filePath = path.join(__dirname, "Porting-Buffer.md");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

safer.jsView on unpkg · L27

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltatests/safer-buffer.min.js
HighChild Processtests/safer-buffer.min.js
HighCross File Remote Execution Contextsafer.js
HighBase64 Obscured Urltests/safer-buffer.min.js
MediumSecret Patterntests/safer.min.js
MediumDynamic Requiretests/safer-buffer.min.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings