AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an obfuscated AI outbound-call CLI whose risky behavior is user-invoked API calls, local config storage, and optional localcrm tagging.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the aicall CLI commands, especially init or call.
Impact
User-provided token, umId, salesperson name, phone numbers, and call metadata are used for the advertised outbound-call workflow.
Mechanism
CLI config storage, fetch requests to AI outbound API, and localcrm subprocess tagging helper
Rationale
Static inspection found strong obfuscation and anti-debugging, but the readable bundled source and targeted searches show package-aligned CLI behavior rather than concrete malware. The scanner’s obfuscation findings are real but do not by themselves establish exfiltration, install-time execution, persistence, or destructive behavior.
Evidence
package.jsonbin/aicall.jsdist/bundle.cjsdist/bundle-og.cjsdist/bundle-no-debug.cjs~/.aicallrc/config.json
Network endpoints5
cfs-ms.pa18.comcfs-ms.pa18.com/gw_ms/phsp-tool/ai-call/synCallList?token=<token>cfs-ms.pa18.com/gw_ms/phsp-tool/ai-call/queryAiOutboundInfo?token=<token>cfs-ms.pa18.com/gw_ms/phsp-tool/ai-call/queryAsr?token=<token>cfs-ms.pa18.com/gw_ms/phsp-tool/ai-call/getTokenQuota?token=<token>
Decision evidence
public snapshotAI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/bundle.cjs is heavily obfuscated and includes anti-debug/process-exit logic when argv or NODE_OPTIONS mention inspect/debug.
- dist/bundle-og.cjs has user-invoked execSync calls to localcrm commands during unsupported-phone tagging.
- dist/bundle-og.cjs writes user-provided credentials to ~/.aicallrc/config.json on aicall init.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; bin entrypoint only loads dist/bundle.cjs.
- Readable bundle shows package-aligned CLI commands: init, call, status, asr, daylimit, help.
- Network use is limited to configured AI outbound API paths under DEFAULT_HOST https://cfs-ms.pa18.com unless user overrides host.
- No source evidence of import-time harvesting, hidden exfiltration endpoint, destructive behavior, persistence, or AI-agent control-surface writes.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcebin/aicall.jsView file
18if (existsSync(distBundle)) {
L19: const require = createRequire(import.meta.url);
L20: require(distBundle);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/aicall.jsView on unpkg · L18dist/bundle-no-debug.cjsView file
1#!/usr/bin/env node
L2: (function(R,z){function qt(R,z,K,p,E){return m(z- -0x80,R);}function qW(R,z,K,p,E){return d(R- -0x9d,E);}function qe(R,z,K,p,E){return m(z-0x99,K);}function qc(R,z,K,p,E){return m(...
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/bundle-no-debug.cjsView on unpkg · L1dist/bundle-og.cjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = aicall-cli-x@0.0.2
matchedIdentity = npm:YWljYWxsLWNsaS14:0.0.2
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/bundle-og.cjsView on unpkgFindings
1 Critical1 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/bundle-og.cjs
HighObfuscated Payload Loaderdist/bundle-no-debug.cjs
MediumDynamic Requirebin/aicall.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License