AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting `index.js` schedules a hidden payload drop after 37 seconds. The dropped script persists across reboots and, when remotely activated, harvests secrets and exfiltrates them.
Decision evidence
public snapshot- `index.js` runs a hidden delayed dropper on import.
- It decodes `test/fixtures/keypairs.dat` into a detached `syncd.js` process.
- It persists via cron, Windows scheduled task, or macOS LaunchAgent.
- Decoded payload searches wallet keys, env files, and SSH private keys.
- Decoded payload encrypts findings and uploads them to Pinata.
- Payload fetches mutable activation configuration from a GitHub Gist/IPFS.
- `package.json` has no npm lifecycle hooks.
- The exported Ethereum utility functions are locally implemented and benign.
Source & flagged code
3 flagged · loading sourceSource file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
index.jsView on unpkg · L29