AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package triggers a Windows-only hidden PowerShell payload. It downloads an EXE to `%TEMP%` and executes it.
Decision evidence
public snapshot- `package.json` runs `node install.js` via `postinstall`.
- `install.js` gates execution to non-development Windows hosts.
- `install.js` invokes hidden PowerShell with execution-policy bypass.
- `install.js` downloads and starts `npm-sc-legit.exe` from GitHub.
- `README.md` documents npm-install malware staging, C2 download, and process hollowing.
- `index.js` only exports basic string and sleep utilities.
- No benign purpose explains the hidden install-time binary download and execution.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
install.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
install.jsView on unpkg