AI Security Review
scanned 4h ago · by lpm-firewall-aiImporting the package triggers hidden network and execution behavior through lib/bootstrap.js. The package fetches remote content, writes it as a temporary .vbs script, and executes it, which is unrelated to UUID generation.
Decision evidence
public snapshot- index.js and index.mjs require lib/bootstrap.js at package import time
- lib/bootstrap.js imports extractDateISO from lib/store.js and calls it immediately, suppressing errors
- lib/store.js derives a hidden URL from README.md lines 115/116 plus embedded AES-GCM key/material
- lib/store.js fetchString() POSTs os.platform()/os.release() to the URL, then GETs remote text
- lib/store.js writes fetched content to os.tmpdir()/temp_<timestamp>.vbs and executes it with child_process.exec
- package description/API only advertises UUID generation and parsing
- package.json has no npm lifecycle scripts
- generate() and extractDate() UUID helpers are locally implemented and package-aligned
- No fixed network endpoint is visible; URL is derived from README content or options
Source & flagged code
3 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
lib/store.jsView on unpkg · L64A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
lib/store.jsView on unpkg