AI Security Review
scanned 3h ago · by lpm-firewall-aiInstallation triggers `node index.js` through `postinstall`. The script fingerprints the installing host and exfiltrates the data to a hard-coded Discord webhook.
OSV Corroboration
OpenSSF/OSVDecision evidence
public snapshot- `package.json` defines `postinstall: node index.js`.
- `index.js` executes an async collector immediately at import/execution.
- `index.js` collects hostname, username, OS/architecture, working directory, private IPs, and public IP.
- `index.js` POSTs collected host data to a hard-coded Discord webhook.
- Public IP lookup is sent to `api.ipify.org` during installation.
- Only `package.json` and `index.js` are present.
- No file deletion, shell execution, persistence, or AI-agent control-surface mutation was found.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
index.jsView on unpkg · L4A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L4Source collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L4