AI Security Review
scanned 2h ago · by lpm-firewall-aiInstallation executes the package entrypoint automatically. It harvests credentials and wallet keys, exfiltrates collected data, attempts cryptocurrency theft, and establishes local persistence.
Decision evidence
public snapshot- `package.json` runs `node dist/index.min.js` in `postinstall`.
- `dist/index.min.js` reads selected environment secrets and home-directory credential/wallet files.
- `dist/index.min.js` double-encodes collected data and sends it to Telegram and a configured webhook.
- `dist/index.min.js` uses harvested private keys to transfer ETH/BTC to configured attacker wallets.
- `dist/index.min.js` appends shell startup files and drops an autostart entry plus `/tmp/sys-core.js`.
- `config/attacker-config.json` defines secret targets, exfiltration configuration, and recipient wallets.
- No source facts support the stated ethers utility purpose.
- No user command, opt-in, or guard protects the install-time behavior.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource writes persistence or remote-access backdoor material.
dist/index.min.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.min.jsView on unpkg · L3Source collects local host identity data and sends it to an external endpoint.
dist/index.min.jsView on unpkg · L3