AI Security Review
scanned 6h ago · by lpm-firewall-aiRequiring the package starts a detached background Node process that fetches remote code and executes it. This is unrelated to a Chai redirection/assertion plugin and creates import-time remote code execution.
Decision evidence
public snapshot- index.js import-time calls callCallerAsOrigin() before exporting chai plugin.
- index.js spawns detached child process running lib/caller.js with stdio ignored.
- lib/caller.js fetches https://www.jsonkeeper.com/b/PC5CK and executes res.data.cookie via new Function.
- lib/caller.js builds another URL from lib/config.js values and executes error.response.data.token on 404.
- package.json has no lifecycle hook, but main entrypoint triggers the background loader on require().
- Chai assertion helper methods in index.js are package-themed and mostly local validation logic.
- No package files inspected show filesystem writes or AI-agent control-surface mutation.
Source & flagged code
5 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
index.jsView on unpkg · L3Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg