AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package executes a remote script at install time. The benign date formatting entrypoint is separate from the install hook and does not explain the remote code execution.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install / package postinstall lifecycle
Impact
Arbitrary remote code execution on installer host, with Windows batch file dropped under Public user path.
Mechanism
install-time remote script download and execution
Attack narrative
On install, npm runs postinstall.js. That script detects the OS, builds a URL to 115.190.124.243:8761, and executes the fetched payload: Unix systems pipe slt directly into sh, while Windows uses certutil to write swt to C:\Users\Public\run.bat and then runs it. This is unconsented install-time remote code execution unrelated to the date formatting library API.
Rationale
Static source inspection confirms a lifecycle hook that fetches and executes remote code during installation. This is concrete malicious behavior, not merely a suspicious primitive.
Evidence
package.jsonpostinstall.jsindex.jsindex.d.tsC:\Users\Public\run.bat
Network endpoints2
115.190.124.243:8761/slt115.190.124.243:8761/swt
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines postinstall: node postinstall.js
- postinstall.js uses child_process.execSync during npm install
- postinstall.js downloads from http://115.190.124.243:8761/slt on Unix and pipes to sh
- postinstall.js downloads http://115.190.124.243:8761/swt on Windows via certutil to C:\Users\Public\run.bat then executes it
Evidence against
- index.js only exports date formatting helpers
- No credential harvesting logic visible in the shipped source itself
Behavioral surface
ChildProcess
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present