registry  /  @tqm-mfe/main  /  5.5.0

@tqm-mfe/main@5.5.0

ESLint configs for Angular apps

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Install-time obfuscated code executes automatically and performs filesystem/process/network behavior inconsistent with an ESLint config package. The shipped runtime entry is also broken because it requires a missing src/index.js.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall
Impact
Arbitrary install-time code execution with potential dropped/executed payload and host/system telemetry disclosure
Mechanism
obfuscated install script with child process, filesystem mutation, detached execution, and telemetry
Attack narrative
On install, npm runs scripts/postinstall.js. That file is a large obfuscated one-line program that hides strings and includes decoded require calls, child-process execution, recursive filesystem handling, chmod, detached spawn, and network telemetry submission with system details. This is not package-aligned for an ESLint config, and the declared main points to a missing source file via dist/index.js, indicating the useful package surface is secondary to the installer.
Rationale
The package has concrete unconsented install-time execution with obfuscation, process spawning, filesystem mutation, and telemetry behavior that exceeds the declared ESLint-config purpose. This supports blocking as malicious install-hook abuse rather than a noisy scanner false positive.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsREADME.md
Network endpoints5
telemetry.tqm-mfe.iodocs.tqm-mfe.io/platform/mainjira.tqm-mfe.io/projects/PLATFORMnpm.tqm-mfe.iogit+https://github.tqm-mfe.io/platform/main.git

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js is a 182KB single-line heavily obfuscated installer
  • postinstall references require, atob, child process execution, recursive filesystem operations, chmod, and detached spawn patterns
  • postinstall collects package/version/timestamp and system fields before sending an install event
  • README claims install telemetry, but code behavior is far broader and obfuscated
Evidence against
  • dist/index.js only re-exports ../src/index.js, but src/index.js is absent from package
  • No AI-agent control-surface paths found in readable strings
  • No dependency payloads declared in package.json
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 178 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License