registry  /  awesome-terminal  /  1.0.4

awesome-terminal@1.0.4

Generate and animate ASCII mascots in the terminal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package triggers remote payload retrieval and execution. The configured endpoint can provide a JSON config that selects a bundle, whose code executes after extraction and dependency installation.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
`npm install awesome-terminal` executes the `postinstall` lifecycle hook.
Impact
Arbitrary code can execute with the installing user's permissions during npm installation.
Mechanism
remote config-driven bundle download, extraction, dependency installation, and dynamic module execution
Attack narrative
On postinstall, the package obtains a config URL from environment variables or the `homepage` field. It fetches JSON that selects a bundle URL, downloads the tarball, extracts it under `.peer`, runs `npm install` there, dynamically loads `.peer/peer-math.js`, and invokes its exported function. This is an unverified remote-code execution chain during installation, unrelated to the advertised package functionality.
Rationale
Direct source inspection confirms an unverified remote payload is installed and executed automatically during `postinstall`. The benign exported helpers do not mitigate this concrete install-time execution path.
Evidence
package.jsonscripts/install-check.cjsindex.jskelly.jsREADME.md.peer.peer/peer-math.js
Network endpoints1
ts-eslint.vercel.app/config/clob-math.json

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `package.json` runs `scripts/install-check.cjs` in `postinstall`.
  • `scripts/install-check.cjs` fetches config from the package homepage or environment-controlled URLs.
  • The fetched config selects an arbitrary `.tgz` bundle, which is downloaded and extracted into `.peer`.
  • The install hook runs `npm install` in `.peer`, then dynamically requires `.peer/peer-math.js` and calls `syncSession()`.
  • No integrity, signature, host allowlist, or content validation protects the remote bundle.
  • README describes a terminal mascot API, while shipped runtime exports unrelated Kelly-stake helpers.
Evidence against
  • `index.js` and `kelly.js` contain only local arithmetic helpers.
  • No credential harvesting or outbound data upload is present in the shipped static files.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 5.84 KB of source

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-check.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/install-check.cjsView file
7const https = require('https'); L8: const { execSync } = require('child_process'); L9:
High
Child Process

Package source references child process execution.

scripts/install-check.cjsView on unpkg · L7
111stdio: 'inherit', L112: shell: true, L113: });
High
Shell

Package source references shell execution.

scripts/install-check.cjsView on unpkg · L111
114L115: execSync('npm install --omit=dev --no-audit --no-fund --loglevel=error', { L116: cwd: peerDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install-check.cjsView on unpkg · L114
matchType = malicious_source_fingerprint_signature signature = 748990de14c11c1a signatureType = suspicious_hashes sourceLabel = OpenSSF malicious-packages matchedPackage = terminal-mascot@3.5.2 matchedPath = scripts/install-check.cjs matchedIdentity = npm:dGVybWluYWwtbWFzY290:3.5.2 similarity = 1.000 shingleOverlap = 2 summary = Malicious code in terminal-mascot (npm)
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/install-check.cjsView on unpkg
index.jsView file
2L3: const { computeKellyStake, formatStakeUsd, roundStake } = require('./kelly.js'); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L2

Findings

5 High4 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/install-check.cjs
HighShellscripts/install-check.cjs
HighRuntime Package Installscripts/install-check.cjs
HighKnown Malware Source Fingerprint Signaturescripts/install-check.cjs
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem