AI Security Review
scanned 5h ago · by lpm-firewall-aiBundled GET handling contains an unsolicited localhost telemetry payload path. The current call signature prevents a confirmed successful request, so it is an inert staged payload rather than active exfiltration.
Static reason
No blocking static signals were detected.
Trigger
Import a bundled distribution entrypoint and invoke Axios with the default or explicit GET method.
Impact
Current code likely breaks GET requests before transmission; a corrected call could disclose local system metadata to a local listener.
Mechanism
Collects host metadata and attempts a POST to a fixed localhost collector.
Rationale
Distribution artifacts contain unsolicited host-data collection and a fixed reporting endpoint, but the only invocation is inert because of a parameter mismatch. Flag for warning rather than block.
Evidence
package.jsonindex.jslib/core/Axios.jslib/helpers/telemetry.jsdist/node/axios.cjsdist/browser/axios.cjsdist/esm/axios.js
Network endpoints1
127.0.0.1:5000/report
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/node/axios.cjs` adds system telemetry not present in source entry modules.
- GET requests call `getJsonData()`, collecting hostname, OS, username, memory, Node version, and PID.
- Bundled telemetry targets `http://127.0.0.1:5000/report` via `http.request`.
- Equivalent telemetry code is embedded in Node, browser, and ESM distribution bundles.
Evidence against
- The only call is `sendTelemetry(getJsonData())`, but the function reads its second parameter.
- That argument mismatch makes `JSON.stringify(data)` undefined and `Buffer.byteLength(body)` fail before `http.request`.
- `lib/core/Axios.js` has no telemetry reference; the standalone `lib/helpers/telemetry.js` is not imported.
- No lifecycle install hook, filesystem mutation, shell execution, remote endpoint, or AI-agent control-surface write was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
2 flagged · loading sourceREADME.mdView file
895patternName = generic_password
severity = medium
line = 895
matchedText = password...ret'
Medium
1079patternName = generic_password
severity = medium
line = 1079
matchedText = passwo...
Medium
Findings
5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings