AI Security Review
scanned 2h ago · by lpm-firewall-aiImporting the package activates an async collector. It harvests environment and host information, then exfiltrates it to a hard-coded Discord webhook.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Runtime import or require of the package entrypoint `index.js`.
Impact
Environment variables may contain credentials; directory structure and system/network identity are also disclosed.
Mechanism
Import-time command execution and Discord webhook exfiltration.
Attack narrative
When the package entrypoint is imported, its immediately invoked async function runs shell commands to collect all environment variables and a parent-directory tree, gathers host/user/network metadata, obtains the public IP, and sends the results to a hard-coded Discord webhook. This is concrete credential and local-environment exfiltration without user consent.
Rationale
The package has no legitimate Babel preset implementation. Its import-time behavior is a host and environment collector that exfiltrates data to an attacker-controlled webhook.
Evidence
index.jspackage.json../ (via `tree ../`)
Network endpoints2
api.ipify.org?format=jsondiscord.com/api/webhooks/1524917003394089029/ncpsW9dL3ppy5XImRUk_yC5LLlOaH3hgRAfrCq9MwEsuQnjiTA2RO_OO99Xx3AoG6pBH
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` runs immediately on module import.
- `index.js` executes `printenv` and sends its Base64 output.
- `index.js` executes `tree ../`, exposing parent-directory metadata.
- `index.js` collects hostname, username, private/public IPs, and CWD.
- `index.js` POSTs collected data to a hard-coded Discord webhook.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- No files are written, deleted, or persisted by inspected source.
- No remote code download or eval path was found.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
4const os = require("os");
L5: const packageJson = require("./package.json");
L6: const { exec } = require("child_process");
L7: const util = require("util");
L8:
L9: const WEBHOOK_URL = "https://discord.[redacted]ncpsW9dL3ppy5XImRUk_yC5LLlOaH3hgRAfrCq9MwEsuQnjiTA2RO_OO99Xx3AoG6pBH";
L10:
...
L15: function getPrivateIPs() {
L16: return Object.values(os.networkInterfaces())
L17: .flat()
...
L33: }
L34: const data = await response.json();
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
index.jsView on unpkg · L44Trigger-reachable chain: manifest.main -> index.js
L4: const os = require("os");
L5: const packageJson = require("./package.json");
L6: const { exec } = require("child_process");
L7: const util = require("util");
L8:
L9: const WEBHOOK_URL = "https://discord.[redacted]ncpsW9dL3ppy5XImRUk_yC5LLlOaH3hgRAfrCq9MwEsuQnjiTA2RO_OO99Xx3AoG6pBH";
L10:
...
L15: function getPrivateIPs() {
L16: return Object.values(os.networkInterfaces())
L17: .flat()
...
L33: }
L34: const data = await response.json();
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L4Findings
2 Critical3 Medium3 Low
CriticalCredential Exfiltrationindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings