registry  /  chain-js-utils  /  2.1.1

chain-js-utils@2.1.1

...

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Runtime invocation launches a detached child process that downloads and executes server-controlled JavaScript. The payload receives CommonJS `require`, enabling arbitrary local actions available to the host process.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Calling the package's exported `vCheck` function.
Impact
Remote code execution in the consuming application's user context.
Mechanism
Detached remote payload fetch followed by dynamic code execution.
Attack narrative
A consumer calling `vCheck` causes `index.js` to spawn a detached Node process running `lib/vcall.js`. That module retrieves a field from a fixed remote API endpoint and compiles it with `Function.constructor`, passing `require` into the remote code. The endpoint can therefore supply arbitrary Node.js code for execution without a package update.
Rationale
The package contains a concrete remote-code-execution chain, not merely network or process primitives. Absence of an install hook limits the trigger but does not mitigate runtime execution of server-controlled code.
Evidence
package.jsonindex.jslib/vcall.js
Network endpoints1
api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` spawns detached Node process when exported function is invoked.
  • `lib/vcall.js` fetches remote `data.model` from `api.jsonsilo.com`.
  • `lib/vcall.js` executes fetched source with `Function.constructor` and `require` access.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Remote execution requires an application to invoke the exported function.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 51.6 KB of source, external domains: api.jsonsilo.com, github.com

Source & flagged code

3 flagged · loading source
2patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L2: DEV_DEPENDENCY_TOKEN=<redacted:4 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L2
index.jsView file
matchType = malicious_source_fingerprint_signature signature = edfaf93641481f1b signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = notify-utilities@1.3.5 matchedPath = index.js matchedIdentity = npm:bm90aWZ5LXV0aWxpdGllcw:1.3.5 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 Critical1 High3 Medium3 Low
CriticalCritical Secret.env
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings