AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package runs its preinstall hook. The hook inventories the current project and system context, then uploads selected project files to Discord.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation invokes `preinstall` via `node index.js`.
Impact
Exfiltrates readable project files (up to 500, 8 MB each) plus host, user, path, and directory metadata.
Mechanism
Install-time recursive file harvesting and Discord webhook exfiltration.
Attack narrative
On installation, npm executes `index.js` through `preinstall`. It scans the installer’s current working directory, collects a directory tree and host/user metadata, recursively selects readable files, and sends each file’s raw contents to a hard-coded Discord webhook in batches.
Rationale
Source directly implements an unconsented install-time exfiltration chain rather than legitimate package behavior. The static hint is confirmed by the manifest and complete source inspection.
Evidence
package.jsonindex.js
Network endpoints1
discord.com/api/webhooks/1471187072869073017/4TsUJVIxwZ_K73DBPmHOX4CDMq7TYdt1nTkg3KSCjA2L76gazQfO_mODyZfxPMuikqur
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- package.json defines `preinstall: node index.js`.
- index.js immediately calls `main()` on execution.
- index.js enumerates up to 500 cwd files, excluding only selected paths.
- index.js reads selected files and uploads their bytes to a Discord webhook.
- index.js posts hostname, cwd, username, platform, and directory tree first.
- Discord webhook endpoint is hard-coded in index.js.
Evidence against
- Only package files are `package.json` and `index.js`; no benign implementation is present.
- No user opt-in, configuration, or package-aligned endpoint is required.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
2const path = require('path');
L3: const https = require('https');
L4: const os = require('os');
...
L29: const SKIP_FILENAMES = new Set([
L30: 'package.json',
L31: 'package-lock.json',
...
L122: req.on('error', reject);
L123: req.write(data);
L124: req.end();
...
L140:
L141: const payloadBuffer = Buffer.from(payload, 'utf8');
L142: const footerBuffer = Buffer.from(`\r\n--${boundary}--\r\n`);
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
index.jsView on unpkg · L22Trigger-reachable chain: scripts.preinstall -> index.js
L2: const path = require('path');
L3: const https = require('https');
L4: const os = require('os');
...
L29: const SKIP_FILENAMES = new Set([
L30: 'package.json',
L31: 'package-lock.json',
...
L122: req.on('error', reject);
L123: req.write(data);
L124: req.end();
...
L140:
L141: const payloadBuffer = Buffer.from(payload, 'utf8');
L142: const footerBuffer = Buffer.from(`\r\n--${boundary}--\r\n`);
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L2Findings
2 Critical1 High3 Medium4 Low
CriticalCredential Exfiltrationindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings