AI Security Review
scanned 49m ago · by lpm-firewall-aiThe main entrypoint executes without an exported user-invoked function. It harvests host and environment data, inventories the parent directory, and transmits the results to a hard-coded Discord webhook.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- `index.js` executes an async collector immediately on module load.
- `index.js` runs `printenv` and sends all environment variables.
- `index.js` runs `tree ../`, base64-encodes the output, and exfiltrates it.
- `index.js` collects hostname, username, private/public IPs, cwd, and OS details.
- `index.js` POSTs collected data to a hard-coded Discord webhook.
- `package.json` defines no preinstall, install, or postinstall hook.
- No persistence or destructive filesystem write is present in inspected source.
Source & flagged code
3 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
index.jsView on unpkg · L4A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L4Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkg