AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting the package can start a detached background payload when the consuming project's parent manifest matches a dependency condition. The payload polls remote control channels, can drop received content, mark it executable, and run it.
Decision evidence
public snapshot- `safer.js` runs a hidden import-time `child_process.spawn`.
- It checks a foreign `../../package.json` for `express@^5.2.1`.
- `safer.js` launches detached `tests/safer-buffer.min.js` and records its PID.
- `tests/safer-buffer.min.js` contains obfuscated Slack polling and encrypted command handling.
- The payload writes received data, `chmod`s it, and detached-spawns it.
- Payload embeds Infura and Alchemy Sepolia RPC URLs.
- `package.json` has no npm lifecycle hooks.
- The declared package API is a Buffer polyfill, but its entrypoint contains unrelated process control.
Source & flagged code
6 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
tests/safer-buffer.min.jsView on unpkgPackage source references child process execution.
tests/safer-buffer.min.jsView on unpkg · L1Source decodes a Base64-obscured HTTP endpoint at runtime.
tests/safer-buffer.min.jsView on unpkg · L1Package source references dynamic require/import behavior.
tests/safer-buffer.min.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
safer.jsView on unpkg · L27