AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package executes remote code during npm install. The postinstall script fetches OS-specific payloads from 115.190.124.243:8761 and runs them via shell or batch execution.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install lifecycle postinstall
Impact
Arbitrary remote code execution on the installer host with the install user's privileges.
Mechanism
install-time remote script download and execution
Attack narrative
Installing datefmt-helper@1.0.1 runs package.json postinstall, which invokes postinstall.js. That script detects the OS, then either pipes a remote Linux script from 115.190.124.243:8761 into sh or downloads a Windows batch file to C:\Users\Public\run.bat and executes it. This behavior is hidden behind a benign date-formatting library surface.
Rationale
Direct source inspection confirms unconsented install-time remote code execution with hardcoded external payload URLs, which is concrete malicious behavior. The benign date helper entrypoint does not justify or align with the lifecycle downloader.
Evidence
package.jsonpostinstall.jsindex.jsindex.d.tsREADME.mdC:\Users\Public\run.bat
Network endpoints2
115.190.124.243:8761/slt115.190.124.243:8761/swt
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines postinstall: node postinstall.js
- postinstall.js imports child_process.exec and runs a constructed shell command
- postinstall.js downloads http://115.190.124.243:8761/slt and pipes it to sh on non-Windows
- postinstall.js uses certutil to download http://115.190.124.243:8761/swt to C:\Users\Public\run.bat and execute it on Windows
- Remote script execution is unrelated to the package's date formatting API
Evidence against
- index.js only exports formatDate and timeAgo date helpers
- index.d.ts only declares the date helper API
- README.md documents date formatting usage and no network behavior
Behavioral surface
ChildProcess
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgpostinstall.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = datefmt-helper@1.0.0
matchedIdentity = npm:ZGF0ZWZtdC1oZWxwZXI:1.0.0
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
postinstall.jsView on unpkgFindings
1 Critical1 High1 Medium1 Low
CriticalPrevious Version Dangerous Deltapostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present