registry  /  @tqm-mfe/main  /  5.4.7

@tqm-mfe/main@5.4.7

A server and a middleware for API mocking.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time obfuscated JavaScript executes automatically and collects host/system details. It contains detached process execution and recursive file-operation primitives inconsistent with a simple API mocking package.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Unconsented install-time execution can exfiltrate environment/system metadata and run additional local commands or persistence-like cleanup/dropper behavior.
Mechanism
obfuscated install hook with telemetry, child process, and fs operations
Attack narrative
On installation, npm runs scripts/postinstall.js. That file is deliberately obfuscated and includes environment inspection, OS/system metadata collection, recursive filesystem operations, detached child process execution, and a telemetry event containing package/version/timestamp/system fields. This is not limited to documented package functionality and executes without an explicit user action beyond install.
Rationale
The package has concrete malicious install-time behavior: a hidden obfuscated postinstall with host reconnaissance, command execution primitives, filesystem mutation, detached execution, and telemetry/exfiltration. Source inspection supports blocking rather than treating scanner hints as noisy.
Evidence
package.jsonscripts/postinstall.jsREADME.mddist/index.js
Network endpoints5
telemetry.tqm-mfe.iodocs.tqm-mfe.io/platform/mainjira.tqm-mfe.io/projects/PLATFORMnpm.tqm-mfe.iogit+https://github.tqm-mfe.io/platform/main.git

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js is heavily obfuscated install-time code
  • scripts/postinstall.js references process.env, os APIs, child process spawn/exec patterns, recursive fs operations, and detached execution
  • scripts/postinstall.js builds telemetry payload with package/version/timestamp/system fields
  • README.md discloses install telemetry to telemetry.tqm-mfe.io
Evidence against
  • dist/index.js only requires ../src/index.js, but src is absent from package
  • No AI-agent control-surface writes found in package paths inspected
Behavioral surface
Source
DynamicRequireEnvironmentVars
Supply chain
MinifiedTrivial
Manifest
NoLicense
scanned 2 file(s), 189 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
2// dist/index.js L3: module.exports = require('../src/index.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowNo License