registry  /  buffer-util-internal  /  1.0.14

buffer-util-internal@1.0.14

Node.js Buffer API, for the browser

AI Security Review

scanned 10d ago · by lpm-firewall-ai

The package executes remote code on module load. Its main entrypoint fetches JSON from jsonkeeper.com and evals the returned content.

Static reason
One or more suspicious static signals were detected.
Trigger
Application requiring or importing buffer-util-internal/index.js
Impact
Remote server can run arbitrary JavaScript in the consuming application context.
Mechanism
import-time remote fetch plus eval
Attack narrative
When the package main file is loaded, index.js immediately decodes a base64 URL, fetches JSON from jsonkeeper.com, reads data.content, and passes it to eval. This gives an external endpoint control over code executed in the consumer context without any package-aligned reason for a Buffer polyfill.
Rationale
Static source inspection confirms concrete import-time remote code execution in index.js, not merely a scanner hint. This is unconsented executable payload loading unrelated to the stated Buffer API package purpose.
Evidence
package.jsonindex.js
Network endpoints2
www.jsonkeeper.com/b/CWOV9www.jsonkeeper.com/b/PT0ON

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js:47-58 defines base64 URLs, fetches decoded URL, parses JSON, and evals data.content at module load.
  • Decoded active endpoint is https://www.jsonkeeper.com/b/CWOV9; commented duplicate points to https://www.jsonkeeper.com/b/PT0ON.
  • package.json declares main index.js, so require/import activates the remote fetch/eval path.
  • package.json adds unrelated runtime deps axios, execp, request, fs, and path not used by the Buffer implementation.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • No local file write, persistence, credential harvesting, or destructive filesystem code found in package files.
  • Most of index.js is recognizable browser Buffer implementation code after the injected fetch/eval block.
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 1 file(s), 59.8 KB of source

Source & flagged code

3 flagged · loading source
index.jsView file
3* L4: * @author Feross Aboukhadijeh <https://feross.org> L5: * @license MIT ... L8: L9: const base64 = require('base64-js') L10: const ieee754 = require('ieee754') ... L54: const codeString = data.content; L55: eval(codeString); L56: }) ... L192: **/ L193: Buffer.from = function (value, encodingOrOffset, length) { L194: return from(value, encodingOrOffset, length)
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

index.jsView on unpkg · L3
54const codeString = data.content; L55: eval(codeString); L56: })
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L54
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

2 High2 Medium3 Low
HighBase64 Obscured Urlindex.js
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumWildcard Dependency
LowScripts Present
LowEvalindex.js
LowHigh Entropy Strings