registry  /  @playerdata-internal/playerdata-core  /  9999.99.20

@playerdata-internal/playerdata-core@9999.99.20

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package executes index.js during npm postinstall and exfiltrates host/user fingerprint data. The destination is a generic webhook.site endpoint, not package-aligned service infrastructure.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install lifecycle postinstall
Impact
Leaks installer username, working directory, hostname, local IP, platform, and timestamp to an external webhook.
Mechanism
install-time host fingerprint exfiltration via HTTPS POST
Attack narrative
On installation, npm runs the postinstall script `node index.js`. That script builds a JSON payload from OS and process metadata, including username, project working directory, hostname, local IPv4 address, platform, and timestamp, then posts it to a webhook.site URL. There is no visible legitimate package behavior that requires this install-time telemetry.
Rationale
Source inspection confirms unconsented install-time collection and exfiltration of host identity data to an unrelated webhook endpoint. This is concrete malicious behavior, not merely dual-use networking.
Evidence
package.jsonindex.js
Network endpoints1
webhook.site/a8cd7fd0-4d41-4806-8649-f3297e94a008

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node index.js
  • index.js runs at install time and immediately sends an HTTPS POST
  • index.js collects os.userInfo().username, cwd/INIT_CWD, hostname, local IPv4, platform, timestamp
  • Data is exfiltrated to webhook.site /a8cd7fd0-4d41-4806-8649-f3297e94a008
  • No package functionality beyond install-time host fingerprint collection and network send
Evidence against
  • No credential file reads observed
  • No child_process, eval, persistence, destructive actions, or AI-agent config writes observed
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1009 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const os = require('os'); L2: const https = require('https'); L3: L4: function localIP() { L5: const nets = os.networkInterfaces(); L6: for (const iface of Object.values(nets)) { ... L15: user: os.userInfo().username, L16: cwd: process.env.INIT_CWD || process.cwd(), L17: hostname: os.hostname(), L18: localIP: localIP(), ... L40: L41: req.write(payload);
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

index.jsView on unpkg · L1
matchType = malicious_source_fingerprint_signature signature = b6b657094c077e81 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = dependency_confusions@99.9.9 matchedPath = index.js matchedIdentity = npm:ZGVwZW5kZW5jeV9jb25mdXNpb25z:99.9.9 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

3 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present