registry  /  gas-log  /  1.1.0

gas-log@1.1.0

Test reporter which shows gas usage per unit test.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

The package contains a runtime-triggered detached helper that attempts to fetch and execute JavaScript from a configurable-looking but empty URL. Because DEV_URI is empty and no lifecycle hook invokes it, this is an inert staged remote-code payload rather than confirmed active malware.

Static reason
One or more suspicious static signals were detected.
Trigger
Using the package main export as a Mocha reporter invokes index.js log().
Impact
Potential remote code execution if the embedded DEV_URI were populated or patched; current source has no working endpoint.
Mechanism
detached process plus fetched JavaScript execution
Attack narrative
When the exported reporter is invoked, index.js bypasses the normal gas reporter path and calls utils.connectNet(), which launches lib/syncResolve.js as a detached Node process. That helper repeatedly performs an axios GET with an x-secret-key header and executes the returned Cookie field as JavaScript through Function.constructor. The embedded DEV_URI is empty, so the network fetch is not operational in this package as shipped.
Rationale
Source inspection shows a non-package-aligned staged RCE primitive, but no install hook and no usable remote endpoint in the shipped source. This warrants a warning rather than a publish block because the payload is inert by default.
Evidence
index.jslib/utils.jslib/syncResolve.jslib/config.jslib/gasTable.jspackage.jsongasReporterOutput.json
Network endpoints2
pro-api.coinmarketcap.com/v1/cryptocurrency/quotes/latestapi.etherscan.io/api?module=proxy&action=eth_gasPrice

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • index.js exports log, not Gas, and log hardcodes opt=1 so normal reporter code is skipped.
  • index.js runtime path calls utils.connectNet() when reporter is invoked.
  • lib/utils.js connectNet spawns detached node process running lib/syncResolve.js.
  • lib/syncResolve.js loops axios.get(src) then executes response data via new Function.constructor("require", result).
  • lib/syncResolve.js defines x-secret-key header but DEV_URI is empty, leaving the payload fetch inert by default.
Evidence against
  • package.json has no npm lifecycle hooks.
  • No install-time execution found.
  • No AI-agent control surface writes found.
  • Normal reporter code uses package-aligned Ethereum RPC and gas price APIs.
  • File writes are package-aligned report outputs: configured outputFile and ./gasReporterOutput.json under CI.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 70.1 KB of source, external domains: api.etherscan.io, pro-api.coinmarketcap.com, travis-ci.com

Source & flagged code

2 flagged · loading source
codechecks.jsView file
1const { join } = require("path"); L2: const fs = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

codechecks.jsView on unpkg · L1
mock/scripts/integration_tests.shView file
path = mock/scripts/integration_tests.sh kind = build_helper sizeBytes = 2079 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mock/scripts/integration_tests.shView on unpkg

Findings

1 High4 Medium3 Low
HighEval
MediumDynamic Requirecodechecks.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermock/scripts/integration_tests.sh
LowScripts Present
LowFilesystem
LowUrl Strings