AI Security Review
scanned 3h ago · by lpm-firewall-aiImporting the package activates a delayed, hidden dropper. It writes and launches a persistent credential-harvesting payload, remotely gated by a Gist/IPFS configuration, then exfiltrates discovered secrets.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- `index.js` runs a delayed dropper on every import.
- `index.js` decodes `test/fixtures/keypairs.dat` into a hidden executable and starts it detached.
- The dropped payload creates cron, LaunchAgent, or scheduled-task persistence.
- The payload searches wallet, SSH, shell-profile, and document paths for keys and mnemonics.
- The payload encrypts findings and uploads them to Pinata after remote dead-drop activation.
- `package.json` has no lifecycle scripts.
- The exported Ethereum helpers are benign, but are followed by the hidden runtime dropper.
Source & flagged code
3 flagged · loading sourceSource file is highly similar to a previously finalized malicious package; route for source-aware review.
index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
index.jsView on unpkg · L29