AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting the package runs local discovery commands and exfiltrates their output. The payload is unrelated to a React dialog component.
Static reason
No blocking static signals were detected.
Trigger
Any runtime import/require of the package, or `node index.js`.
Impact
Leaks the running account and host identity to an attacker-controlled collaborator endpoint.
Mechanism
import-time shell execution plus DNS/HTTP exfiltration
Attack narrative
`index.js`, declared as the main entrypoint, immediately invokes `whoami` and `hostname` through `child_process.execSync`. It hex-encodes each result, then triggers DNS resolution and an HTTP request to encoded subdomains under a fixed Burp Collaborator/OAST host. This causes system identity data to leave the consuming application's environment whenever the package is imported or executed.
Rationale
Source inspection confirms concrete import-time command execution and outbound exfiltration to a fixed third-party endpoint. This is malicious behavior and not package-aligned React UI functionality.
Evidence
index.jspackage.json
Network endpoints2
vih2vewj1xxwlsd8dkgjqugtyk4bs1gq.oastify.com<encoded>.vih2vewj1xxwlsd8dkgjqugtyk4bs1gq.oastify.com
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` executes immediately on import.
- Runs `execSync('whoami')` and `execSync('hostname')`.
- Encodes command output and sends DNS queries to a fixed OAST host.
- Also performs HTTP GET requests to encoded OAST subdomains.
- `package.json` exposes this payload as the package main entrypoint.
Evidence against
- No npm preinstall/install/postinstall lifecycle hook.
- No additional package files or dependencies were present.
Behavioral surface
ChildProcessNetwork
HighEntropyStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
High
Ai Review Evidence
`package.json` exposes this payload as the package main entrypoint.
package.jsonView on unpkgFindings
5 High1 Medium3 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidencepackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowNo License