AI Security Review
scanned 2h ago · by lpm-firewall-aiCalling the package export launches a detached child process. That child fetches attacker-controlled JavaScript and executes it with Node's `require` capability.
Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime invocation of the exported function from `index.js`
Impact
Remote operator can execute arbitrary JavaScript in the invoking user's environment.
Mechanism
Detached remote payload fetch followed by dynamic Node code execution
Attack narrative
On runtime use, `index.js` silently detaches a Node child running `lib/vcall.js`. The child retrieves a remotely hosted `model` field, compiles it dynamically with `Function.constructor`, and invokes it with `require`. This creates an unpinned, remotely controlled code-execution channel in the consumer environment; the eventual payload can read files, access credentials, execute commands, or exfiltrate data without any source update.
Rationale
The package implements a concrete remote code-execution loader rather than an aligned application feature. Absence of install hooks does not mitigate the runtime backdoor.
Evidence
index.jslib/vcall.jspackage.json.env
Network endpoints1
api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` spawns detached `node lib/vcall.js` when its export is called.
- `lib/vcall.js` downloads `data.model` from `https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5`.
- `lib/vcall.js` compiles the downloaded string with `new Function.constructor("require", src)`.
- The downloaded code is invoked with Node's `require`, enabling arbitrary package/runtime access.
- The remote payload is retried up to five times, indicating deliberate reliable execution.
Evidence against
- `package.json` contains no npm lifecycle scripts.
- No credential harvesting or destructive action is directly present in the inspected static payload loader.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: DEV_DEPENDENCY_TOKEN=<redacted:4 value>
Critical
index.jsView file
•matchType = malicious_source_fingerprint_signature
signature = edfaf93641481f1b
signatureType = suspicious_hashes
sourceLabel = final_verdict:malicious
matchedPackage = notifier-funcs@1.3.4
matchedPath = index.js
matchedIdentity = npm:bm90aWZpZXItZnVuY3M:1.3.4
similarity = 1.000
shingleOverlap = 12
summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgdocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
1 Critical1 High3 Medium3 Low
CriticalCritical Secret.env
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings