AI Security Review
scanned 2h ago · by lpm-firewall-aiCalling the exported middleware starts a detached background process. That process retrieves attacker-controlled code and executes it locally.
Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime invocation of the package's exported middleware.
Impact
Remote code execution with the privileges of the consuming Node process.
Mechanism
Detached remote payload fetch followed by dynamic code execution.
Attack narrative
The exported middleware in `index.js` launches `lib/initializeCaller.js` as a detached, unref'd Node process. That script Base64-decodes `http://tomato-brunhilda-40.tiiny.site/index.json`, requests it with a decoded header, reads the response `cookie` property, and compiles and invokes it with `require`. The endpoint therefore controls arbitrary JavaScript executed on the consumer machine.
Rationale
Source establishes a concrete remote payload execution chain, not merely suspicious APIs. The absence of install hooks does not mitigate execution once the exported middleware is used.
Evidence
package.jsonindex.jslib/initializeCaller.jsfile.js
Network endpoints1
tomato-brunhilda-40.tiiny.site/index.json
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10504
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-verified (npm)
Details
Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached `node` child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed `process.env` object, fetches the JS response with a base64-decoded header name `x-secret-key`, and executes it via `new Function.constructor("require", response)(require)`, granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.
References
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` exports middleware that spawns a detached Node child.
- `lib/initializeCaller.js` decodes an obscured remote HTTP URL.
- It fetches remote JSON and executes its `cookie` field via `Function`.
- The child is detached and unref'd, hiding work from the caller.
Evidence against
- `package.json` has no npm lifecycle hooks.
- No local credential harvesting or AI-agent config mutation was found in inspected files.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcelib/initializeCaller.jsView file
2L3: const axios = require("axios");
L4: const process = {
...
L12: (async function initializeCaller(..._args) {
L13: const apiEndpoint = atob(process.env.DEV_API_KEY);
L14: const apiHeaderKey = atob(process.env.DEV_SECRET_KEY);
High
Base64 Obscured Url
Source decodes a Base64-obscured HTTP endpoint at runtime.
lib/initializeCaller.jsView on unpkg · L2index.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 306e52008bef5331
signatureType = suspicious_hashes
sourceLabel = final_verdict:malicious
matchedPackage = chai-as-balanced@2.2.3
matchedPath = index.js
matchedIdentity = npm:Y2hhaS1hcy1iYWxhbmNlZA:2.2.3
similarity = 1.000
shingleOverlap = 12
summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgdocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
3 High3 Medium3 Low
HighEval
HighBase64 Obscured Urllib/initializeCaller.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings