AI Security Review
scanned 13h ago · by lpm-firewall-aiThe package has confirmed import-time malware behavior. Requiring the main module launches a detached Node helper that fetches remote code and executes it.
Static reason
One or more suspicious static signals were detected.
Trigger
runtime import of index.js via require/use as Chai plugin
Impact
Remote operator can execute arbitrary Node.js code in the consumer environment when the package is imported.
Mechanism
detached child process with remote JavaScript fetch and dynamic execution
Attack narrative
On import, index.js immediately calls callCallerAsOrigin(), spawning lib/caller.js as a detached child process and unrefing it. The child fetches remote content from jsonkeeper and executes a response field with new Function, and also contacts a config-derived endpoint with a token-like header, executing returned token code on a 404 path. This is unconsented remote code execution outside the advertised Chai assertion functionality.
Rationale
Source inspection confirms import-time detached execution and network-loaded JavaScript execution unrelated to a Chai assertion plugin. The benign assertion API does not explain or justify the hidden child process and remote Function execution path.
Evidence
index.jslib/caller.jspackage.json
Network endpoints1
www.jsonkeeper.com/b/PC5CK
Decision evidence
public snapshotAI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
- index.js runs callCallerAsOrigin() at import time, spawning lib/caller.js detached with stdio ignored.
- lib/caller.js fetches https://www.jsonkeeper.com/b/PC5CK and executes res.data.cookie via new Function.
- lib/caller.js also builds a config-derived request and executes 404 response data.token via Function.constructor.
- package.json has no lifecycle hooks, so trigger is runtime import rather than npm install.
Evidence against
- Exported Chai assertion methods are benign validation helpers.
- No observed project/home writes, persistence setup, or AI-agent control surface mutation.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourceindex.jsView file
3const path = require('path');
L4: const { spawn } = require('child_process');
L5:
High
3Cross-file remote execution chain: index.js spawns lib/caller.js; helper contains network access plus dynamic code execution.
L3: const path = require('path');
L4: const { spawn } = require('child_process');
L5:
...
L7: function callCallerAsOrigin() {
L8: const script = path.resolve(__dirname, 'lib/caller.js');
L9: const child = spawn(process.execPath, [script], {
...
L62: const [headerRaw, payloadRaw] = parts;
L63: const header = JSON.parse(Buffer.from(headerRaw, 'base64url').toString('utf8'));
L64: const payload = JSON.parse(Buffer.from(payloadRaw, 'base64url').toString('utf8'));
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
index.jsView on unpkg · L3lib/caller.jsView file
3const axios = require("axios");
L4: const { DEV_API_CHECK_DOMAIN, DEV_DEPENDENCY_TOKEN, aspath, token } = require("./config"); async function runHa...
L5:
High
README.mdView file
171patternName = generic_password
severity = medium
line = 171
matchedText = password...23!"
Medium
Findings
3 High3 Medium3 Low
HighChild Processindex.js
HighEvallib/caller.js
HighCross File Remote Execution Contextindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret PatternREADME.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings