AI Security Review
scanned 8h ago · by lpm-firewall-aiThe package runs an install-time script that harvests secrets and exfiltrates them to Telegram. The behavior is unrelated to the empty SDK entrypoint.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- package.json defines install-time postinstall: node postinstall.js
- postinstall.js POSTs to https://api.telegram.org/bot.../sendMessage using hardcoded bot token/chat id
- postinstall.js scans process.cwd(), os.homedir(), and ~/.ssh for .env, credentials, keys, wallet, seed, mnemonic, and secret files
- postinstall.js reads matched file contents and sends them via sendFile()
- postinstall.js filters process.env for PRIVATE/SECRET/TOKEN/API_KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS and sends values
- index.js is empty, leaving no benign SDK behavior to justify the install hook
- No child_process, eval, or native binary loading observed
- No persistence or destructive filesystem writes observed
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
postinstall.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
postinstall.jsView on unpkg · L1