registry  /  @radivi-ui/react-dialog  /  1.1.4

@radivi-ui/react-dialog@1.1.4

to help on react part

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the package runs local discovery commands and exfiltrates their output. The payload is unrelated to a React dialog component.

Static reason
No blocking static signals were detected.
Trigger
Any runtime import/require of the package, or `node index.js`.
Impact
Leaks the running account and host identity to an attacker-controlled collaborator endpoint.
Mechanism
import-time shell execution plus DNS/HTTP exfiltration
Attack narrative
`index.js`, declared as the main entrypoint, immediately invokes `whoami` and `hostname` through `child_process.execSync`. It hex-encodes each result, then triggers DNS resolution and an HTTP request to encoded subdomains under a fixed Burp Collaborator/OAST host. This causes system identity data to leave the consuming application's environment whenever the package is imported or executed.
Rationale
Source inspection confirms concrete import-time command execution and outbound exfiltration to a fixed third-party endpoint. This is malicious behavior and not package-aligned React UI functionality.
Evidence
index.jspackage.json
Network endpoints2
vih2vewj1xxwlsd8dkgjqugtyk4bs1gq.oastify.com<encoded>.vih2vewj1xxwlsd8dkgjqugtyk4bs1gq.oastify.com

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` executes immediately on import.
  • Runs `execSync('whoami')` and `execSync('hostname')`.
  • Encodes command output and sends DNS queries to a fixed OAST host.
  • Also performs HTTP GET requests to encoded OAST subdomains.
  • `package.json` exposes this payload as the package main entrypoint.
Evidence against
  • No npm preinstall/install/postinstall lifecycle hook.
  • No additional package files or dependencies were present.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 1 file(s), 2.68 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
High
Ai Review Evidence

`package.json` exposes this payload as the package main entrypoint.

package.jsonView on unpkg

Findings

5 High1 Medium3 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidencepackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowNo License