AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package performs import-time remote code retrieval and eval. It also collects environment variables and host identifiers in the same module scope.
Decision evidence
public snapshot- index.js requires ./lib/writer at module load.
- lib/writer.js constructs data from process.env, os.hostname(), os.userInfo().username, platform, and MAC addresses.
- lib/writer.js fetches Base64-decoded https://www.jsonkeeper.com/b/PJNZP via axios.
- lib/writer.js evals r.data.data from the remote response.
- package.json has no install hooks, but main points to index.js so import triggers writer load.
- No npm lifecycle scripts were present in package.json.
- No AI-agent control-surface writes found in inspected entrypoint files.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/writer.jsView on unpkg · L20Source decodes a Base64-obscured HTTP endpoint at runtime.
lib/writer.jsView on unpkg · L28