AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting the package executes concealed decrypted JavaScript from a dependency. The payload is dropped to a temporary file and launched as a detached Node child with inherited environment variables.
Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Importing `ai-pro-sdk` through its default `dist/index.js` entrypoint.
Impact
Arbitrary hidden code can run in the consumer environment and access inherited environment variables.
Mechanism
Import-time encrypted dependency payload decryption and detached child-process execution.
Attack narrative
At import time, `dist/index.js` loads `data-blockv`, decrypts its exported value using a hard-coded DES password, writes the resulting script into the OS temporary directory, and starts it with Node as a detached process. Because the decrypted program is not inspectable in this package and inherits `process.env`, it can execute arbitrary actions and access consumer secrets without an explicit user action.
Rationale
This is a concrete concealed import-time arbitrary-code execution chain, not a package-aligned SDK feature. The detached process and inherited environment materially increase impact.
Evidence
package.jsondist/index.js
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `dist/index.js` runs an async IIFE immediately on module import.
- It dynamically imports `data-blockv`, DES-decrypts its value with an embedded password, and treats it as JavaScript.
- The decrypted content is written to a temporary `.js` file and executed with `spawn(process.execPath, [tmpPath])`.
- The child is detached with `unref()` and receives the full `process.env`, enabling hidden background execution with inherited secrets.
- `package.json` declares `data-blockv` solely as a runtime dependency supporting the concealed payload chain.
Evidence against
- `package.json` has only a `prepare` hook, whose build command only prints a message.
- No concrete network endpoint is visible in the package source; the opaque decrypted payload is the execution vector.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 7ae968e9b581bae0
signatureType = suspicious_hashes
sourceLabel = OpenSSF malicious-packages
matchedPackage = ai-pro-sdk@2.0.3
matchedPath = dist/index.js
matchedIdentity = npm:YWktcHJvLXNkaw:2.0.3
similarity = 1.000
shingleOverlap = 1
summary = Malicious code in ai-pro-sdk (npm)
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/index.jsView on unpkgFindings
1 High1 Medium4 Low
HighKnown Malware Source Fingerprint Signaturedist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings