registry  /  eth-react-redirection  /  1.0.1

eth-react-redirection@1.0.1

A lightweight React library for **declarative and programmatic navigation** with support for redirects, route guards, authentication flows, and conditional navigation.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Importing the package launches a detached hidden helper. The helper contacts an obfuscated remote endpoint and can execute JavaScript returned by that server.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review
Trigger
Any runtime import of the `index.js` entrypoint.
Impact
Remote operator can run arbitrary Node.js code in the importing user's environment.
Mechanism
Detached remote payload retrieval and dynamic code execution.
Attack narrative
On import, `index.js` silently detaches a Node process running `lib/caller.js`. That helper is obfuscated and duplicated as `lib/config.js`; its visible equivalent payload in `lib/levels.js` fetches a URL assembled from hidden configuration using a hidden authorization value. If the response is a 404 containing `data.token`, it passes that server-controlled string to `Function.constructor` with `require`, enabling arbitrary code execution outside the package's stated functionality.
Rationale
This is a concrete import-time remote-code-execution chain, not merely suspicious primitives. The hidden endpoint and token obfuscation, detached execution, and unrelated exported functionality indicate malicious intent.
Evidence
package.jsonindex.jslib/caller.jslib/config.jslib/levels.js

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` immediately spawns `lib/caller.js` detached when imported.
  • `lib/caller.js` is 67 KB obfuscated code using `Function(...)` dynamic evaluation.
  • `lib/caller.js` loads Axios and hidden values from `./config`.
  • `lib/levels.js` shows the payload logic: Axios GET with a hidden bearer-like token.
  • On HTTP 404, `lib/levels.js` executes server-provided `error.response.data.token` via `Function.constructor`.
  • `lib/config.js` is byte-identical to the obfuscated `lib/caller.js`, concealing the endpoint and credentials.
Evidence against
  • `package.json` has no npm lifecycle hook.
  • No package-local file write, deletion, or AI-agent configuration mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 189 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
index.jsView file
3const path = require('path'); L4: const { spawn } = require('child_process'); L5:
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
3Cross-file remote execution chain: index.js spawns lib/caller.js; helper contains network access plus dynamic code execution. L3: const path = require('path'); L4: const { spawn } = require('child_process'); L5: ... L7: function callCallerAsOrigin() { L8: const script = path.resolve(__dirname, 'lib/caller.js'); L9: const child = spawn(process.execPath, [script], { ... L62: const [headerRaw, payloadRaw] = parts; L63: const header = JSON.parse(Buffer.from(headerRaw, 'base64url').toString('utf8')); L64: const payload = JSON.parse(Buffer.from(payloadRaw, 'base64url').toString('utf8'));
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

index.jsView on unpkg · L3
matchType = normalized_sha256 matchedPackage = chai-redirection@0.0.3 matchedPath = index.js matchedIdentity = npm:Y2hhaS1yZWRpcmVjdGlvbg:0.0.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

index.jsView on unpkg
lib/caller.jsView file
1Function("H9rYmof","\"use strict\";var TX36dv,hhEo8ZP,Nv98JYv,ZozhKIV,vwcMVI,QPfGur,p2j9ZJv,r45jV9,umfG5xY,H2yaHS,CHCAsu;const _NWYTkD=[0xc0,0x0,0x1,0x43,0x82,0x96,\"i\",\"g\",0xca...
High
Eval

Package source references dynamic code evaluation.

lib/caller.jsView on unpkg · L1

Findings

4 High2 Medium3 Low
HighChild Processindex.js
HighEvallib/caller.js
HighCross File Remote Execution Contextindex.js
HighKnown Malware Source Similarityindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings