AI Security Review
scanned 6h ago · by lpm-firewall-aiThe package carries a hidden crypto-clipboard hijacker, host/profile detector, exfiltration client, and persistence writer in both runtime entrypoints. Due to the activation logic, the malicious routine does not appear to become active during normal import.
Decision evidence
public snapshot- dist/index.cjs and dist/index.js contain hidden clipboard wallet-address replacement logic.
- Code defines exfiltration to http://2.27.62.51:8080/api/health and :8081/api/health.
- Detection code reads wallet/browser/Telegram/SSH/.npmrc/.env indicators from user home and cwd.
- Persistence code appends shell rc hooks or writes a Windows Startup loader.
- The dangerous block is hidden in package entrypoints, unrelated to Base58 encoding.
- package.json has no install/postinstall hook; only prepublishOnly build script.
- Activation is effectively inert: INSTALL_TIME is set at module load, _checkActivation runs immediately before the 72h delay can pass, and _internal.activate sets activated before calling _checkActivation.
Source & flagged code
8 flagged · loading sourceSource reads and rewrites clipboard contents matching cryptocurrency wallet addresses.
dist/index.jsView on unpkg · L103Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/index.jsView on unpkg · L533Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/index.jsView on unpkgPackage source references dynamic require/import behavior.
dist/index.jsView on unpkg · L11Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L103A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.cjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/index.cjsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/index.cjsView on unpkg